CVE-2025-4208 – NEX-Forms PHP Code Execution Vulnerability

May 8, 2025

CVE ID : CVE-2025-4208

Published : May 8, 2025, 12:15 p.m. | 3 hours, 22 minutes ago

Description : The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_func(). This makes it possible for authenticated attackers, with Custom-level access, to execute arbitrary PHP functions that meet specific constraints (static methods or global functions accepting a single array parameter).

Severity: 6.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2024-6648 – AP Page Builder Path Traversal RCE

Next Article CVE-2025-3862 – Contest Gallery WordPress Stored Cross-Site Scripting Vulnerability

Highlights

CVE-2025-46344 – Auth0 Next.js SDK: JWE Token Expiration Claim Omission

April 29, 2025

CVE ID : CVE-2025-46344

Published : April 29, 2025, 9:15 p.m. | 1 hour, 52 minutes ago

Description : The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CodeSOD: A Unique Way to Primary Key

BrowserStack launches Figma plugin for detecting accessibility issues in design phase

Parasoft brings agentic AI to service virtualization in latest release

Node.js vs. Python for Backend: 7 Reasons C-Level Leaders Choose Node.js Talent

The best CRM software with email marketing in 2025: Expert tested and reviewed

This multi-port car charger can power 4 gadgets at once – and it’s surprisingly cheap

I’m a wearables editor and here are the 7 Pixel Watch 4 rumors I’m most curious about

8 ways I quickly leveled up my Linux skills – and you can too

The Intersection of Agile and Accessibility – A Series on Designing for Everyone

The Intersection of Agile and Accessibility – A Series on Designing for Everyone

Zero Trust & Cybersecurity Mesh: Your Org’s Survival Guide

Execute Ping Commands and Get Back Structured Data in PHP

A Tomb Raider composer has been jailed — His legacy overshadowed by $75k+ in loan fraud

A Tomb Raider composer has been jailed — His legacy overshadowed by $75k+ in loan fraud

“I don’t think I changed his mind” — NVIDIA CEO comments on H20 AI GPU sales resuming in China following a meeting with President Trump

Galaxy Z Fold 7 review: Six years later — Samsung finally cracks the foldable code

CVE-2025-4208 – NEX-Forms PHP Code Execution Vulnerability

CVE-2025-44658 – Netgear RAX30 PHP-FPM Misconfigured Extension Bypass Vulnerability

CVE-2025-7393 – Drupal Mail Login Authentication Bypass

xemu emulates the original Microsoft Xbox game console

Play ransomware crims exploit SimpleHelp flaw in double-extortion schemes

CVE-2025-46728: cpp-httplib Vulnerability Exposes Servers to Denial of Service

Streamline API Resources with Laravel’s Fluent Methods

CVE-2025-46344 – Auth0 Next.js SDK: JWE Token Expiration Claim Omission

CVE-2025-27954 – Apache Clinical Collaboration Platform Cross-Site Scripting (XSS) and Remote Code Execution

CVE-2025-5488 – WordPress WP Masonry & Infinite Scroll Stored Cross-Site Scripting Vulnerability

CVE-2025-6068 – FooGallery WordPress Stored Cross-Site Scripting Vulnerability

CVE-2025-4208 – NEX-Forms PHP Code Execution Vulnerability

Related Posts