SQL Injection Vulnerability in NEX-Forms Plugin for WordPress
CVE-2024-10862

4.9MEDIUM

Key Information:

Vendor: Wordpress
Status: Nex-forms – Ultimate Form Builder – Contact Forms And Much More
Vendor: CVE Published:; 25 December 2024

Summary

An SQL injection vulnerability has been discovered in the NEX-Forms - Ultimate Form Builder plugin for WordPress, affecting all versions up to and including 8.7.13. This vulnerability arises due to inadequate escaping mechanisms for user-supplied input in the 'search_params' parameter, coupled with insufficient safeguards in the existing SQL query structure. As a result, unauthorized attackers are able to inject additional SQL commands, potentially leading to the extraction of sensitive database information. Furthermore, the absence of proper nonce validation on the get_table_records AJAX action heightens the risk of CSRF exploits, allowing attackers to perform unauthorized actions without user consent.

Affected Version(s)

NEX-Forms – Ultimate Form Builder – Contact forms and much more * <= 8.7.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/nex-forms-expr...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 25, 2024
Vulnerability Reserved
Nov 5, 2024

Credit

Mohamed Awad