Vulnerability Description
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to to deactivate the plugin license.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/3470888/nex-forms-express-wp-form-b
- https://www.wordfence.com/threat-intel/vulnerabilities/id/23b21dbd-caf7-49fc-bed
FAQ
What is CVE-2026-1948?
CVE-2026-1948 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() function in al...
How severe is CVE-2026-1948?
CVE-2026-1948 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-1948?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.