CVE-2025-15510 is a missing authorization vulnerability (CWE-862) in the NEX-Forms – Ultimate Forms Plugin for WordPress, specifically in the NF5_Export_Forms class constructor. This flaw allows unauthenticated attackers to bypass capability checks and export form configurations by enumerating the nex_forms_Id parameter. The exported data may include sensitive information such as email addresses, PayPal API credentials, and keys for third-party integrations, which could be leveraged for further attacks like phishing, fraud, or unauthorized access to payment systems. The vulnerability affects all plugin versions up to 9.1.8. Since the vulnerability does not require authentication or user interaction and can be exploited remotely, it poses a significant risk to websites using this plugin. The CVSS 3.1 base score is 5.3 (medium severity), with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality impact (C:L). No integrity or availability impacts are noted. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on January 12, 2026, and published on January 31, 2026, by Wordfence.

The primary impact of this vulnerability is unauthorized disclosure of sensitive configuration data from WordPress sites using the vulnerable NEX-Forms plugin. Exposure of email addresses can facilitate targeted phishing campaigns, while leaked PayPal API credentials and third-party integration keys can lead to financial fraud, unauthorized transactions, or compromise of connected services. Although the vulnerability does not directly affect data integrity or availability, the confidentiality breach can have cascading effects, including reputational damage, regulatory compliance violations (e.g., GDPR), and potential financial losses. Organizations relying on this plugin for form management, especially those handling payment or personal data, are at risk. The ease of exploitation (no authentication or user interaction required) increases the likelihood of automated scanning and exploitation attempts by attackers. The vulnerability could be leveraged as an initial access vector or to gather intelligence for more sophisticated attacks.

1. Immediate mitigation involves updating the NEX-Forms plugin to a version that includes proper authorization checks once a patch is released by the vendor. 2. Until an official patch is available, restrict access to the export functionality by implementing web application firewall (WAF) rules that block requests attempting to enumerate the nex_forms_Id parameter or access the NF5_Export_Forms endpoint. 3. Limit public exposure of the WordPress admin and plugin endpoints by enforcing IP whitelisting or VPN access for administrative functions. 4. Regularly audit and rotate sensitive credentials such as PayPal API keys and third-party integration keys to minimize the impact of potential leaks. 5. Monitor web server logs and intrusion detection systems for suspicious requests targeting the plugin’s export functionality. 6. Educate site administrators about the risks and encourage disabling or removing unused plugins to reduce attack surface. 7. Employ principle of least privilege for WordPress user roles to minimize potential damage from compromised accounts. 8. Backup form configurations and sensitive data securely to enable recovery if data is compromised.