Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
The Vedrixa Forms - User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the structure of any form - adding, removing, or altering fields - by writing attacker-controlled data to the plugin's FORMS database table. The 'ajax-nonce' nonce used by this handler is injected into the public frontend via wp_localize_script(), so any authenticated user who visits a page containing a form shortcode can obtain it without any elevated access.
AnalysisAI
Authorization bypass in the Vedrixa Forms WordPress plugin (all versions through 1.1.1) permits authenticated attackers with subscriber-level access to overwrite the structure of any registration form by writing attacker-controlled data directly to the plugin's FORMS database table. The root cause is a missing authorization check on the form-saving AJAX handler, compounded by the fact that the required ajax-nonce is publicly exposed via wp_localize_script() on any page rendering a form shortcode - meaning any authenticated visitor can harvest the nonce without elevated privileges. The vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis; however, on open-registration WordPress sites the subscriber-level barrier is trivially bypassed.
Technical ContextAI
The affected product is the Vedrixa Forms - User Registration Form, Signup Form & Drag & Drop Form Builder WordPress plugin, identified by CPE cpe:2.3:a:registrationformbuilder:vedrixa_forms_-_user_registration_form,_signup_form_&_drag_&_drop_form_builder:*:*:*:*:*:*:*:*. The root cause is CWE-862 (Missing Authorization): the AJAX handler responsible for persisting form structure - referenced in class-registration-form-builder-admin.php at line 866 and class-registration-form-builder.php at line 174 - does not verify that the requesting user holds administrative or editor-level capabilities before allowing writes to the FORMS database table. WordPress nonces (ajax-nonce) provide CSRF replay protection but are explicitly not an authorization mechanism; they confirm request freshness, not permission. The compounding issue is that this nonce is emitted into the public frontend via wp_localize_script() (class-registration-form-builder-public.php line 121), so it is available in the page DOM to any authenticated user who loads a page containing a Vedrixa Forms shortcode - collapsing what should be an admin-only operation to any subscriber-level session.
RemediationAI
Upstream fix available (WordPress plugin repository changeset 3540543 is referenced in the input); however, a specific released fixed version number was not confirmed in the provided intelligence - check the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/1b3b8a6c-1c84-4abe-ad4a-02302b04987b and the WordPress plugin repository for the latest available version beyond 1.1.1, and update immediately upon confirmation. As a compensating control pending patch verification, disable public user self-registration on affected WordPress sites (Settings → General → uncheck 'Anyone can register'); note that this prevents new user self-signup as a trade-off. Additionally, audit existing subscriber-level and above accounts for unauthorized changes to form structures in the FORMS database table. Consider deploying a WordPress WAF rule (e.g., via Wordfence) to block unauthorized AJAX calls targeting the form-save endpoint while the patch is being staged.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31414
GHSA-92j9-vfpr-4xhf