cbcvebase.
CVE-2025-4208
published 2025-05-08

CVE-2025-4208: The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and…

PriorityP339medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.28%
19.9th percentile
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_func(). This makes it possible for authenticated attackers, with Custom-level access, to execute arbitrary PHP functions that meet specific constraints (static methods or global functions accepting a single array parameter).

Affected

3 ranges
VendorProductVersion rangeFixed in
basixonlinenex-forms<= 8.9.2
msrccbl2_kernel_5.15.131.1-2_on_cbl_mariner_2.0
webawaysnex-forms_ultimate_forms_plugin_for_wordpress<= 8.9.1

CVSS provenance

nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
vendor_msrc7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.