Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder Vulnerability (CVE-2026-8692)

On this page

Security Alert Summary

The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress has an authorization bypass vulnerability (CVE-2026-8692) that affects all versions up to and including 1.1.1. Authenticated users with subscriber-level access or higher can overwrite form structure by writing attacker-controlled data to the plugin’s FORMS database table because the plugin does not properly verify authorization for the action. The nonce used by the handler is exposed to authenticated visitors via wp_localize_script().


CVE Details

  • CVE ID: CVE-2026-8692
  • Affected component: Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress
  • Affected versions: All versions up to and including 1.1.1
  • Published: May 22, 2026 at 9:16:33 AM UTC
  • Last modified: May 22, 2026 at 9:16:33 AM UTC
  • CVSS v3.1: Base score 4.3, MEDIUM — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • Authentication / privileges / user interaction: Privileges Required: LOW (authenticated user with low-level privileges such as subscriber); User Interaction: NONE
  • Primary impact: Integrity: LOW (ability to modify form structure). Confidentiality: NONE. Availability: NONE.
  • CWE / weakness: CWE-862 (Missing Authorization)

Technical Details

The plugin fails to properly verify that a user is authorized to perform form-structure updates. An authorization bypass allows any authenticated user with subscriber-level access or higher to send attacker-controlled data that overwrites records in the plugin’s FORMS database table, resulting in added, removed, or altered form fields.

The vulnerability is enabled because the handler relies on an ‘ajax-nonce’ value that is injected into the public frontend via wp_localize_script(). Any authenticated visitor who loads a page containing a form shortcode can obtain that nonce without elevated privileges, allowing the request to the form-update handler to succeed without appropriate authorization checks.

The practical impact is limited to modification of form structure and behavior (integrity). The vulnerability does not, by itself, indicate a confidentiality or availability breach, but altered forms could be used to collect additional input from users or to change submission behavior.


How This Could Impact Your Website

Consider a small team managing a WordPress site: a site owner, an editor who manages content, and an external contractor who contributes posts. If an authenticated contributor or subscriber visits a page with a Vedrixa Forms shortcode, an attacker with subscriber-level access could obtain the exposed nonce and modify a form used for registrations or contact submissions. That attacker could add or change fields to capture additional information submitted by users, which may increase the risk of targeted phishing or social engineering.

Changes to form structure could also disrupt workflows for internal staff who rely on predictable form data or automated processing. If you handle user signups or collect user information via forms, altered fields may lead to unexpected data collection or processing issues.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributors and subscribers who do not need form-editing capabilities.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce attack surface.
  • Monitor site activity and form submissions for unusual behavior or unexpected changes to form fields.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References