Unauthorized Access in NEX-Forms Plugin for WordPress
CVE-2024-0907

4.3MEDIUM

Key Information:

Vendor
Wordpress
Status
NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vendor
CVE Published:
29 February 2024

Summary

The NEX-Forms – Ultimate Form Builder plugin for WordPress is susceptible to unauthorized access due to a lack of capability checks within the restore_records() function. This vulnerability affects all versions up to and including 8.5.6, enabling authenticated users with subscriber-level access or higher to restore sensitive records. This issue poses a risk to the integrity of user data, as unauthorized users could exploit this oversight to gain access to information that should be protected.

Affected Version(s)

NEX-Forms – Ultimate Form Builder – Contact forms and much more * <= 8.5.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/nex-forms-expr...
https://plugins.trac.wordpress.org/browser/nex-forms-expr...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Francesco Carlucci
.