Skip to main content

Vedrixa Forms CVE-2026-8692

| EUVDEUVD-2026-31414 MEDIUM
Missing Authorization (CWE-862)
2026-05-22 Wordfence GHSA-92j9-vfpr-4xhf
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 09:32 vuln.today

DescriptionCVE.org

The Vedrixa Forms - User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the structure of any form - adding, removing, or altering fields - by writing attacker-controlled data to the plugin's FORMS database table. The 'ajax-nonce' nonce used by this handler is injected into the public frontend via wp_localize_script(), so any authenticated user who visits a page containing a form shortcode can obtain it without any elevated access.

AnalysisAI

Authorization bypass in the Vedrixa Forms WordPress plugin (all versions through 1.1.1) permits authenticated attackers with subscriber-level access to overwrite the structure of any registration form by writing attacker-controlled data directly to the plugin's FORMS database table. The root cause is a missing authorization check on the form-saving AJAX handler, compounded by the fact that the required ajax-nonce is publicly exposed via wp_localize_script() on any page rendering a form shortcode - meaning any authenticated visitor can harvest the nonce without elevated privileges. The vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis; however, on open-registration WordPress sites the subscriber-level barrier is trivially bypassed.

Technical ContextAI

The affected product is the Vedrixa Forms - User Registration Form, Signup Form & Drag & Drop Form Builder WordPress plugin, identified by CPE cpe:2.3:a:registrationformbuilder:vedrixa_forms_-_user_registration_form,_signup_form_&_drag_&_drop_form_builder:*:*:*:*:*:*:*:*. The root cause is CWE-862 (Missing Authorization): the AJAX handler responsible for persisting form structure - referenced in class-registration-form-builder-admin.php at line 866 and class-registration-form-builder.php at line 174 - does not verify that the requesting user holds administrative or editor-level capabilities before allowing writes to the FORMS database table. WordPress nonces (ajax-nonce) provide CSRF replay protection but are explicitly not an authorization mechanism; they confirm request freshness, not permission. The compounding issue is that this nonce is emitted into the public frontend via wp_localize_script() (class-registration-form-builder-public.php line 121), so it is available in the page DOM to any authenticated user who loads a page containing a Vedrixa Forms shortcode - collapsing what should be an admin-only operation to any subscriber-level session.

RemediationAI

Upstream fix available (WordPress plugin repository changeset 3540543 is referenced in the input); however, a specific released fixed version number was not confirmed in the provided intelligence - check the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/1b3b8a6c-1c84-4abe-ad4a-02302b04987b and the WordPress plugin repository for the latest available version beyond 1.1.1, and update immediately upon confirmation. As a compensating control pending patch verification, disable public user self-registration on affected WordPress sites (Settings → General → uncheck 'Anyone can register'); note that this prevents new user self-signup as a trade-off. Additionally, audit existing subscriber-level and above accounts for unauthorized changes to form structures in the FORMS database table. Consider deploying a WordPress WAF rule (e.g., via Wordfence) to block unauthorized AJAX calls targeting the form-save endpoint while the patch is being staged.

Share

CVE-2026-8692 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy