Unauthorized Access in NEX-Forms Ultimate Form Builder Plugin for WordPress
CVE-2024-1129

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Nex-forms – Ultimate Form Builder – Contact Forms And Much More
Vendor: CVE Published:; 29 February 2024

What is CVE-2024-1129?

The NEX-Forms – Ultimate Form Builder plugin for WordPress exhibits a vulnerability that allows authenticated users, particularly those with subscriber-level access and higher, to exploit a missing capability check in the set_starred() function. This flaw is present in versions up to and including 8.5.6, enabling unauthorized manipulation of records, which could have significant impacts on data integrity and security. Users are urged to update to the latest version to mitigate potential risks.

Affected Version(s)

NEX-Forms – Ultimate Form Builder – Contact forms and much more * <= 8.5.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/nex-forms-expr...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 29, 2024
Vulnerability Reserved
Jan 31, 2024

Credit

Francesco Carlucci

Wordpress

What is CVE-2024-1129?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit