CVE-2024-1130

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the set_read() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark records as read.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1493	Patch
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1512	Patch
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1539	Patch
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1490	Product
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1502	Product
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1524	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c3b646-d865-4425-bc8f-00b3555a3d74?source=cve	Third Party Advisory
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1493	Patch
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1512	Patch
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1539	Patch
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1490	Product
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1502	Product
https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1524	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c3b646-d865-4425-bc8f-00b3555a3d74?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:basixonline:nex-forms:*:*:*:*:*:wordpress:*:*

History

15 Jan 2025, 17:29

Type	Values Removed	Values Added
CWE		CWE-862
CPE		cpe:2.3:a:basixonline:nex-forms::::::wordpress::*
References	~~() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1493 -~~	() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1493 - Patch
References	~~() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1512 -~~	() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1512 - Patch
References	~~() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1539 -~~	() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1539 - Patch
References	~~() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1490 -~~	() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1490 - Product
References	~~() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1502 -~~	() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1502 - Product
References	~~() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1524 -~~	() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1524 - Product
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c3b646-d865-4425-bc8f-00b3555a3d74?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c3b646-d865-4425-bc8f-00b3555a3d74?source=cve - Third Party Advisory
First Time		Basixonline nex-forms Basixonline

21 Nov 2024, 08:49

Type	Values Removed	Values Added
Summary		(es) El complemento NEX-Forms – Ultimate Form Builder – Contact forms and much more para WordPress es vulnerable al acceso no autorizado debido a una falta de verificación de capacidad en la función set_read() en todas las versiones hasta la 8.5.6 incluida. Esto hace posible que los atacantes autenticados, con acceso a nivel de suscriptor y superior, marquen registros como leídos.
References	~~() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1493 -~~	() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1493 -
References	~~() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1512 -~~	() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1512 -
References	~~() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1539 -~~	() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1539 -
References	~~() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1490 -~~	() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1490 -
References	~~() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1502 -~~	() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1502 -
References	~~() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1524 -~~	() https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1524 -
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c3b646-d865-4425-bc8f-00b3555a3d74?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c3b646-d865-4425-bc8f-00b3555a3d74?source=cve -

29 Feb 2024, 01:43

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-29 01:43

Updated : 2025-01-15 17:29

NVD link : CVE-2024-1130

Mitre link : CVE-2024-1130

CVE.ORG link : CVE-2024-1130

JSON object : View

Products Affected

basixonline

nex-forms

CWE

CWE-862

Missing Authorization

5.3 /10