The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.
References
Configurations
History
21 Nov 2024, 07:18
Type | Values Removed | Values Added |
---|---|---|
References | () http://packetstormsecurity.com/files/171477/WordPress-NEX-Forms-SQL-Injection.html - | |
References | () https://medium.com/%40elias.hohl/authenticated-sql-injection-vulnerability-in-nex-forms-wordpress-plugin-35b8558dd0f5 - | |
References | () https://wpscan.com/vulnerability/8acc0fc6-efe6-4662-b9ac-6342a7823328 - Exploit, Third Party Advisory |
27 Mar 2023, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-09-19 14:15
Updated : 2024-11-21 07:18
NVD link : CVE-2022-3142
Mitre link : CVE-2022-3142
CVE.ORG link : CVE-2022-3142
JSON object : View
Products Affected
basixonline
- nex-forms
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')