The vulnerability identified as CVE-2025-4208 affects all versions up to and including 8.9.1 of the NEX-Forms – Ultimate Forms Plugin for WordPress, developed by webaways. The root cause is improper control of code generation (CWE-94), specifically a code injection flaw in the get_table_records function. This function uses PHP's call_user_func() to invoke functions dynamically based on user input, but it fails to sanitize or validate this input properly. As a result, authenticated users with Custom-level access privileges can supply crafted input that causes the plugin to execute arbitrary PHP functions. The exploit is limited to static methods or global functions that accept a single array parameter, which constrains but does not eliminate the potential for malicious code execution. The vulnerability does not require user interaction beyond authentication, and the attack vector is remote over the network. The CVSS v3.1 base score is 6.3, reflecting medium severity due to the requirement for authenticated access and the limited scope of code execution. No patches or official fixes have been released at the time of publication, and no active exploitation has been observed. The vulnerability could be leveraged to manipulate site data, escalate privileges, or disrupt service depending on the functions invoked.

This vulnerability poses a significant risk to organizations running WordPress sites with the vulnerable NEX-Forms plugin installed. Attackers with Custom-level access—often granted to contributors or users with some editorial privileges—can execute arbitrary PHP functions, potentially leading to unauthorized data access, modification, or deletion. This undermines the confidentiality and integrity of the site’s data and may also impact availability if critical functions are disrupted. Given WordPress’s widespread use globally, many websites, including corporate, governmental, and e-commerce platforms, could be affected. Exploitation could facilitate further attacks such as privilege escalation, webshell deployment, or lateral movement within hosting environments. The medium severity rating reflects the need for authentication and the limited function invocation constraints, but the impact on compromised sites can still be substantial, especially if sensitive data or critical business functions are involved.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict access to users with Custom-level permissions or higher, ensuring only trusted users have such roles. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the get_table_records function or unusual use of call_user_func(). 3) Monitor logs for anomalous activity indicative of code injection attempts, such as unexpected function calls or unusual parameter patterns. 4) Disable or remove the NEX-Forms plugin if it is not essential to reduce the attack surface. 5) If possible, apply code-level mitigations by sanitizing and validating inputs passed to call_user_func() or temporarily modifying the plugin code to restrict callable functions to a safe whitelist. 6) Maintain regular backups and ensure recovery procedures are tested to mitigate potential damage from exploitation. 7) Stay informed on vendor advisories for forthcoming patches and apply updates promptly once available.