The NEX-Forms – Ultimate Forms Plugin for WordPress contains a SQL Injection vulnerability identified as CVE-2025-10185. This vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) specifically in the 'orderby' parameter within the nf_load_form_entries action. The plugin fails to sufficiently escape user-supplied input and does not properly prepare SQL queries, allowing attackers with authenticated Administrator-level access to inject additional SQL statements. This injection can be used to extract sensitive information from the underlying database. Although the vulnerability requires high privileges (Administrator or above), it may be exploitable by lower-privileged users if administrators grant them access. The vulnerability affects all versions up to and including 9.1.6 of the plugin. The CVSS v3.1 score is 4.9 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and impact primarily on confidentiality. No public exploits have been reported to date. The vulnerability does not affect data integrity or availability but poses a risk of sensitive data leakage. The plugin vendor has not yet published a patch, so mitigation relies on access control and monitoring.

This vulnerability primarily threatens the confidentiality of data stored in WordPress databases using the NEX-Forms plugin. An attacker with Administrator-level access can exploit the SQL Injection to extract sensitive information such as user credentials, form submissions, or other confidential data. Although exploitation requires elevated privileges, the risk increases if administrators grant lower-level users access or if credentials are compromised. Data leakage can lead to privacy violations, regulatory non-compliance, and reputational damage. Since WordPress powers millions of websites worldwide, including business, government, and e-commerce sites, the potential impact is significant for organizations relying on this plugin. The vulnerability does not directly affect data integrity or availability, so it is less likely to cause service disruption or data manipulation. However, the exposure of sensitive data can facilitate further attacks or unauthorized access.

1. Immediately restrict access to the NEX-Forms plugin administration interfaces to trusted Administrator-level users only and review user privileges to ensure no unnecessary elevated access is granted. 2. Monitor and audit logs for unusual database queries or access patterns related to form entries. 3. If possible, temporarily disable or uninstall the NEX-Forms plugin until a vendor patch is released. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection attempts targeting the 'orderby' parameter in nf_load_form_entries actions. 5. Encourage the plugin vendor to release a patch that properly escapes and prepares SQL queries to prevent injection. 6. Educate site administrators on the risks of granting elevated privileges and enforce strong authentication mechanisms to reduce the risk of credential compromise. 7. Regularly back up WordPress databases and configurations to enable recovery in case of compromise. 8. Conduct vulnerability scans and penetration tests focusing on WordPress plugins to identify similar injection flaws proactively.