Lucene search

[email protected]CVE-2024-0907

HistoryFeb 29, 2024 - 1:43 a.m.

CVE-2024-0907

2024-02-2901:43:30

[email protected]

web.nvd.nist.gov

nex-forms

wordpress

plugin

unauthorized access

vulnerability

cve-2024-0907

nvd

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.2%

JSON

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the restore_records() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to restore records.

Affected configurations

Vulners

Node

webawaysnex-forms_–_ultimate_form_builder_–_contact_forms_and_much_moreRange≤8.5.6

CNA Affected

[
  {
    "vendor": "webaways",
    "product": "NEX-Forms – Ultimate Form Builder – Contact forms and much more",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "8.5.6",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1493

plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1512

plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/8.5.7/includes/classes/class.dashboard.php#L1539

plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1490

plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1502

plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/trunk/includes/classes/class.dashboard.php#L1524

www.wordfence.com/threat-intel/vulnerabilities/id/26bd4058-ef00-48c8-8ab5-01535f0238a4?source=cve

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.2%

JSON

Related for CVE-2024-0907

nvd1 prion1 cvelist1 wpvulndb1 wordfence1