Unauthorized Access in NEX-Forms Plugin for WordPress
CVE-2024-1130

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vendor: CVE Published:; 29 February 2024

What is CVE-2024-1130?

The NEX-Forms – Ultimate Form Builder plugin for WordPress contains a security flaw that allows authenticated attackers, with subscriber-level access or higher, to bypass necessary capability checks in the set_read() function. This vulnerability, present in all versions up to and including 8.5.6, potentially grants attackers the ability to mark records as read, leading to unauthorized access to sensitive information. Users of this plugin are advised to upgrade to version 8.5.7 or later to mitigate this risk.

Affected Version(s)

NEX-Forms – Ultimate Form Builder – Contact forms and much more * <= 8.5.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/nex-forms-expr...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 29, 2024
Vulnerability Reserved
Jan 31, 2024

Credit

Francesco Carlucci

Wordpress

What is CVE-2024-1130?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit