WP-Safety

NEX-Forms – Ultimate Forms Plugin for WordPress Security & Risk Analysis

wordpress.org/plugins/nex-forms-express-wp-form-builder

Build beautiful responsive forms for WordPress. Contact forms, surveys, quizzes, booking forms, payments, popups & more with NEX-Forms...

7K active installs v9.1.10 PHP + WP 4.0+ Updated Feb 27, 2026
contact-formsform-buildermulti-step-formssurvey-formswordpress-forms
76
B · Generally Safe
CVEs total30
Unpatched0
Last CVEMar 14, 2026
Plugin page Download
Safety Verdict

Is NEX-Forms – Ultimate Forms Plugin for WordPress Safe to Use in 2026?

Mostly Safe

Score 76/100

NEX-Forms – Ultimate Forms Plugin for WordPress is generally safe to use. 30 past CVEs were resolved. Keep it updated.

30 known CVEsLast CVE: Mar 14, 2026Updated 1mo ago
Risk Assessment

The "nex-forms-express-wp-form-builder" plugin exhibits a mixed security posture. While it demonstrates good practices in output escaping (99% properly escaped) and a significant percentage of SQL queries using prepared statements (76%), several areas raise concerns. The presence of 16 AJAX handlers without authentication checks creates a substantial attack surface, potentially allowing unauthorized users to trigger plugin functionalities. Furthermore, the taint analysis reveals 10 high-severity flows, indicating potential vulnerabilities where user input is not adequately sanitized before being processed, leading to risks like cross-site scripting or unintended code execution.

The plugin's vulnerability history is deeply concerning. With a total of 30 known CVEs, including 2 critical and 5 high-severity vulnerabilities, it has a proven track record of security flaws. The common vulnerability types, such as Authorization Bypass, Cross-Site Scripting, Code Injection, and SQL Injection, are classic indicators of insecure coding practices. Although there are currently no unpatched CVEs, the sheer volume and severity of past vulnerabilities suggest a recurring pattern of security weaknesses that require diligent attention and frequent patching by users. The most recent vulnerability in March 2026, while potentially in the future, reinforces the need for ongoing vigilance.

In conclusion, while the plugin has strengths in output sanitization and prepared SQL statements, the large number of unprotected AJAX endpoints, high-severity taint flows, and a history of numerous critical and high-severity vulnerabilities paint a picture of significant risk. Users should exercise extreme caution, ensure all updates are applied promptly, and consider the potential impact of past vulnerability patterns. The plugin's attack surface and past exploitability necessitate a cautious approach.

Key Concerns

  • Large attack surface without auth checks
  • High severity taint flows
  • 2 critical historical CVEs
  • 5 high historical CVEs
  • 23 medium historical CVEs
  • Common vulnerability types indicate systemic issues
  • Bundled outdated library (Freemius v1.0)
Vulnerabilities
30

NEX-Forms – Ultimate Forms Plugin for WordPress Security Vulnerabilities

CVEs by Year

2 CVEs in 2015
2015
1 CVE in 2020
2020
2 CVEs in 2021
2021
1 CVE in 2022
2022
5 CVEs in 2023
2023
8 CVEs in 2024
2024
6 CVEs in 2025
2025
5 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
2
High
5
Medium
23

30 total CVEs

CVE-2026-1947high · 7.5Authorization Bypass Through User-Controlled Key

NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id

Mar 14, 2026 Patched in 9.1.10 (1d)
CVE-2026-1948medium · 4.3Missing Authorization

NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license

Mar 13, 2026 Patched in 9.1.10 (1d)
CVE-2025-69326medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NEX-Forms <= 9.1.7 - Reflected Cross-Site Scripting

Feb 9, 2026 Patched in 9.1.8 (8d)
CVE-2025-69324high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NEX-Forms <= 9.1.7 - Unauthenticated Stored Cross-Site Scripting

Feb 4, 2026 Patched in 9.1.8 (6d)
CVE-2025-15510medium · 5.3Missing Authorization

NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.8 - Missing Authorization to Unauthenticated Sensitive Information Exposure

Jan 30, 2026 Patched in 9.1.9 (1d)
CVE-2025-14803medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nex-Forms Express WP Form Builder <= 9.1.7 - Authenticated (Admin+) Stored Cross-Site Scripting

Dec 19, 2025 Patched in 9.1.8 (26d)
CVE-2025-10185medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.6 - Authenticated (Admin+) SQL Injection

Oct 10, 2025 Patched in 9.1.7 (1d)
CVE-2025-49399medium · 4.3Cross-Site Request Forgery (CSRF)

NEX-Forms <= 9.1.3 - Cross-Site Request Forgery

Aug 20, 2025 Patched in 9.1.4 (7d)
CVE-2025-4208medium · 6.3Improper Control of Generation of Code ('Code Injection')

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Limited Code Execution via get_table_records Function

May 7, 2025 Patched in 8.9.2 (1d)
CVE-2025-3468medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Stored Cross-Site Scripting

May 7, 2025 Patched in 8.9.2 (1d)
CVE-2024-13498medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.8.1 - Unauthenticated Sensitive Information Exposure

Mar 11, 2025 Patched in 8.8.2 (1d)
CVE-2024-10862medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

NEX-Forms <= 8.7.15 - Authenticated (Admin+) SQL Injection

Dec 24, 2024 Patched in 8.7.16 (28d)
CVE-2024-53808medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

NEX-Forms – Ultimate Form Builder <= 8.7.8 - Authenticated (Administrator+) SQL Injection

Dec 2, 2024 Patched in 8.7.9 (11d)
CVE-2024-47389medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NEX-Forms – Ultimate Form Builder <= 8.7.3 - Reflected Cross-Site Scripting

Sep 30, 2024 Patched in 8.7.4 (11d)
CVE-2024-37512medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NEX-Forms – Ultimate Form Builder <= 8.5.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 5, 2024 Patched in 8.6.1 (6d)
CVE-2024-25593medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NEX-Forms – Ultimate Form Builder <= 8.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Feb 12, 2024 Patched in 8.5.6 (3d)
CVE-2024-0907medium · 5.3Missing Authorization

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 - Missing Authorization via restore_records()

Jan 31, 2024 Patched in 8.5.7 (1d)
CVE-2024-1129medium · 5.3Missing Authorization

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 - Missing Authorization via set_starred()

Jan 31, 2024 Patched in 8.5.7 (1d)
CVE-2024-1130medium · 5.3Missing Authorization

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 - Missing Authorization via set_read()

Jan 31, 2024 Patched in 8.5.7 (1d)
CVE-2023-52120medium · 4.3Cross-Site Request Forgery (CSRF)

NEX-Forms – Ultimate Form Builder <= 8.5.2 - Cross-Site Request Forgery

Dec 28, 2023 Patched in 8.5.5 (26d)
CVE-2023-50838medium · 5.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.5 - Authenticated (Admin+) SQL Injection

Dec 21, 2023 Patched in 8.5.6 (33d)
CVE-2023-0439medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NEX-Forms - Ultimate Form Builder <= 8.4.3 - Authenticated Stored Cross-Site Scripting via Form Name

Jun 26, 2023 Patched in 8.4.4 (211d)
CVE-2023-2114high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

NEX-Forms <= 8.3.3 - Authenticated (Administrator+) SQL Injection

Apr 17, 2023 Patched in 8.4 (281d)
CVE-2023-0272medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NEX-Forms - Ultimate Form Builder <= 8.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Feb 28, 2023 Patched in 8.3.3 (329d)
CVE-2022-3142high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

NEX-Forms <= 7.9.6 - Authenticated (Administrator+) SQL Injection

Aug 1, 2022 Patched in 7.9.7 (540d)
CVE-2021-24705high · 8.8Cross-Site Request Forgery (CSRF)

NEX-Forms – Ultimate Form Builder <= 8.4.2 - Cross-Site Request Forgery to Cross-Site Scripting

Nov 14, 2021 Patched in 8.4.3 (800d)
CVE-2021-34676medium · 4.3Improper Authorization

NEX-Forms <= 7.8.7 Authorization Bypass

Jul 19, 2021 Patched in 7.8.8 (918d)
CVE-2020-36670medium · 6.3Missing Authorization

NEX-Forms <= 7.7.1 - Missing Authorization on Various AJAX Actions

Nov 27, 2020 Patched in 7.8 (1152d)
CVE-2015-9452critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

NEX-Forms – Ultimate Form Builder < 4.6.1 - SQL Injection

Jul 16, 2015 Patched in 4.6.1 (3113d)
WF-2e88aa9e-6d1d-44ba-8d63-2f4d4161bc9e-nex-forms-express-wp-form-buildercritical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

NEX-Forms – Ultimate Form Builder – Contact forms and much more < 3.4 - SQL Injection

Apr 21, 2015 Patched in 3.4 (3199d)
Code Analysis
Analyzed Mar 16, 2026

NEX-Forms – Ultimate Forms Plugin for WordPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
64
202 prepared
Unescaped Output
5
564 escaped
Nonce Checks
26
Capability Checks
52
File Operations
13
External Requests
8
Bundled Libraries
2

Bundled Libraries

TinyMCEFreemius1.0

SQL Query Safety

76% prepared266 total queries

Output Escaping

99% escaped569 total outputs
Data Flows
25 unsanitized

Data Flow Analysis

25 flows25 with unsanitized paths
create_report (includes\classes\class.dashboard.php:2112)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
16 unprotected

NEX-Forms – Ultimate Forms Plugin for WordPress Attack Surface

Entry Points63
Unprotected16

AJAX Handlers 62

authwp_ajax_nexforms_get_add_on_statsincludes\classes\class.dashboard.php:853
authwp_ajax_get_table_recordsincludes\classes\class.dashboard.php:1783
authwp_ajax_do_form_entry_saveincludes\classes\class.dashboard.php:1784
authwp_ajax_nf_report_get_additional_paramsincludes\classes\class.dashboard.php:1785
authwp_ajax_submission_report2includes\classes\class.dashboard.php:1787
authwp_ajax_nf_print_chartincludes\classes\class.dashboard.php:1789
authwp_ajax_nf_delete_form_entryincludes\classes\class.dashboard.php:1791
authwp_ajax_nf_entries_restoreincludes\classes\class.dashboard.php:1793
authwp_ajax_nf_entries_set_starredincludes\classes\class.dashboard.php:1795
authwp_ajax_nf_entries_set_readincludes\classes\class.dashboard.php:1796
authwp_ajax_nf_reset_forms_menuincludes\classes\class.dashboard.php:1798
authwp_ajax_nf_print_to_pdfincludes\classes\class.dashboard.php:1801
authwp_ajax_nf_delete_pdfincludes\classes\class.dashboard.php:1802
authwp_ajax_nf_create_new_reportincludes\classes\class.dashboard.php:1807
authwp_ajax_nf_edit_reportincludes\classes\class.dashboard.php:1808
authwp_ajax_nf_print_report_to_pdfincludes\classes\class.dashboard.php:1813
authwp_ajax_nf_insert_recordincludes\classes\class.db.php:14
authwp_ajax_nf_update_recordincludes\classes\class.db.php:15
authwp_ajax_nf_delete_recordincludes\classes\class.db.php:16
authwp_ajax_nf_duplicate_recordincludes\classes\class.db.php:17
authwp_ajax_nf_delete_fileincludes\classes\class.db.php:18
authwp_ajax_nf_delete_db_tableincludes\classes\class.db.php:19
authwp_ajax_preview_nex_formincludes\classes\class.db.php:21
authwp_ajax_nf_get_formsincludes\classes\class.db.php:22
authwp_ajax_nf_load_nex_formincludes\classes\class.db.php:23
authwp_ajax_nf_get_email_setupincludes\classes\class.db.php:24
authwp_ajax_nf_get_pdf_setupincludes\classes\class.db.php:25
authwp_ajax_nf_get_options_setupincludes\classes\class.db.php:26
authwp_ajax_nf_hidden_fieldsincludes\classes\class.db.php:27
authwp_ajax_nf_load_form_entriesincludes\classes\class.db.php:28
authwp_ajax_nf_populate_form_entryincludes\classes\class.db.php:29
authwp_ajax_nf_load_paginationincludes\classes\class.db.php:30
authwp_ajax_nf_populate_form_entry_dashboardincludes\classes\class.db.php:32
authwp_ajax_save_email_configincludes\classes\class.db.php:35
authwp_ajax_save_script_configincludes\classes\class.db.php:36
authwp_ajax_save_style_configincludes\classes\class.db.php:37
authwp_ajax_save_other_configincludes\classes\class.db.php:38
authwp_ajax_save_mc_keyincludes\classes\class.db.php:39
authwp_ajax_save_gr_keyincludes\classes\class.db.php:40
authwp_ajax_do_form_importincludes\classes\class.db.php:42
authwp_ajax_load_templateincludes\classes\class.db.php:43
authwp_ajax_nf_load_conditional_logicincludes\classes\class.db.php:46
authwp_ajax_nf_send_test_emailincludes\classes\class.db.php:47
authwp_ajax_update_paypalincludes\classes\class.db.php:49
authwp_ajax_get_c_logic_uiincludes\classes\class.db.php:50
authwp_ajax_do_upload_imageincludes\classes\class.functions.php:10
authwp_ajax_dismiss_nf_noticeincludes\classes\class.functions.php:2007
authwp_ajax_nexforms_install_addonincludes\classes\class.functions.php:2718
authwp_ajax_save_field_prefincludes\classes\class.preferences.php:12
authwp_ajax_save_validation_prefincludes\classes\class.preferences.php:13
authwp_ajax_save_email_prefincludes\classes\class.preferences.php:14
authwp_ajax_save_other_prefincludes\classes\class.preferences.php:15
authwp_ajax_submit_nex_formmain.php:2655
noprivwp_ajax_submit_nex_formmain.php:2656
authwp_ajax_nf_resend_emailmain.php:2658
noprivwp_ajax_nf_resend_emailmain.php:2659
authwp_ajax_nf_send_nf_emailmain.php:2661
noprivwp_ajax_nf_send_nf_emailmain.php:2662
authwp_ajax_nf_add_form_viewmain.php:2664
noprivwp_ajax_nf_add_form_viewmain.php:2665
authwp_ajax_nf_add_form_interactionmain.php:2685
noprivwp_ajax_nf_add_form_interactionmain.php:2686

Shortcodes 1

[NEXForms] main.php:379
WordPress Hooks 23
actioninitincludes\classes\class.export.php:6
actionadmin_noticesincludes\classes\class.functions.php:2003
actioninitincludes\load.php:32
actionadmin_bar_menuincludes\load.php:322
actionadmin_enqueue_scriptsincludes\load.php:325
actionadmin_enqueue_scriptsincludes\load.php:326
actionadmin_enqueue_scriptsmain.php:62
actionwp_print_scriptsmain.php:97
actionwp_print_stylesmain.php:98
actioninitmain.php:99
actioninitmain.php:100
actionwidgets_initmain.php:103
actionadmin_menumain.php:381
actioninitmain.php:388
filtermce_external_pluginsmain.php:392
filtermce_buttonsmain.php:393
actioninitmain.php:456
actionadmin_menumain.php:650
filtersafe_style_cssmain.php:2629
actionadmin_headmain.php:3696
filtermce_external_pluginsmain.php:3708
filtermce_buttonsmain.php:3709
actioninitmain.php:5878
Maintenance & Trust

NEX-Forms – Ultimate Forms Plugin for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 27, 2026
PHP min version
Downloads514K

Community Trust

Rating82/100
Number of ratings136
Active installs7K
Alternatives

NEX-Forms – Ultimate Forms Plugin for WordPress Alternatives

NEX-Forms ADD ON – Form Themes

NEX-Forms ADD ON – Form Themes

nex-forms-form-themes-add-on

A
100

Build beautiful responsive forms for WordPress. Contact forms, surveys, quizzes, booking forms, payments, popups & more with NEX-Forms...

1K No CVEs
NEX-Forms ADD ON – Zapier Integration

NEX-Forms ADD ON – Zapier Integration

nex-forms-zapier-add-on

A
100

The NEX-Forms Zapier Integration Add-on enables you to seamlessly connect your form submissions to over 10,000 apps.

200 No CVEs
Contact Form by Supsystic

Contact Form by Supsystic

contact-form-by-supsystic

C
66

Contact Form Builder with drag-and-drop editor to create responsive, mobile ready contact forms in a second. Custom fields and contact form templates

7K 1 unpatched
Contact Form Generator : Creative form builder for WordPress

Contact Form Generator : Creative form builder for WordPress

contact-form-generator

A
98

Contact Form Generator is a creative and powerful contact form builder! You will get ready-to-use forms in 5 minutes!

900 3 CVEs
NEX-Forms ADD ON – Digital Signatures

NEX-Forms ADD ON – Digital Signatures

nex-forms-digital-signatures-add-on

A
100

Easily add Digital / E-Signature fields to your forms. Capture signatures with submissions and automatically include them in emails and PDF exports.

700 No CVEs
Developer Profile

NEX-Forms – Ultimate Forms Plugin for WordPress Developer Profile

Basix

4 plugins · 9K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
357 days
View full developer profile
Detection Fingerprints

How We Detect NEX-Forms – Ultimate Forms Plugin for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/nex-forms-express-wp-form-builder/admin/css/public.css
Version Parameters
nex-forms-express-wp-form-builder/admin/css/public.css?ver=

HTML / DOM Fingerprints

CSS Classes
nexforms-containernexforms-mainnexforms-contentnexforms-rownexforms-colnexforms-formnexforms-fieldnexforms-label+22 more
Data Attributes
data-nexforms-field-iddata-nexforms-form-iddata-nexforms-field-type
JS Globals
nexforms_params
Shortcode Output
[nexforms-form id=
FAQ

Frequently Asked Questions about NEX-Forms – Ultimate Forms Plugin for WordPress