Lucene search
K

81 matches found

Cvelist
Cvelist
added 2025/03/12 5:22 a.m.12 views

CVE-2024-13498 NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.8.1 - Unauthenticated Sensitive Information Exposure

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.8.1 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This make...

5.3CVSS0.00357EPSS
Exploits0References2
CVE
CVE
added 2025/03/12 5:22 a.m.49 views

CVE-2024-13498

CVE-2024-13498 involves the WordPress plugin NEX-Forms – Ultimate Form Builder, where unauthenticated attackers can exfiltrate sensitive data via file uploads in all versions up to 8.8.1 due to insufficient directory listing protection and non-randomized file names. The issue is confirmed in conn...

5.3CVSS5.2AI score0.00357EPSS
Exploits0References2
OSV
OSV
added 2024/12/25 7:15 a.m.8 views

CVE-2024-10862

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to SQL Injection via the 'searchparams' parameter in all versions up to, and including, 8.7.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t...

4.9CVSS7.3AI score0.00578EPSS
Exploits0References2
CVE
CVE
added 2024/12/25 6:42 a.m.59 views

CVE-2024-10862

CVE-2024-10862 affects the WordPress plugin “NEX-Forms – Ultimate Form Builder”. The issue is an authenticated SQL Injection via the search_params parameter in the affected queries, exploitable in versions up to 8.7.13 (and disclosed under authenticated admin context). Root cause: insufficient es...

4.9CVSS7.2AI score0.00578EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2024/12/25 6:42 a.m.27 views

CVE-2024-10862 NEX-Forms <= 8.7.15 - Authenticated (Admin+) SQL Injection

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to SQL Injection via the 'searchparams' parameter in all versions up to, and including, 8.7.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t...

4.9CVSS0.00578EPSS
Exploits0References3
Patchstack
Patchstack
added 2024/12/24 10:10 p.m.6 views

WordPress NEX-Forms plugin <= 8.7.15 - Authenticated (Admin+) SQL Injection vulnerability

Authenticated Admin+ SQL Injection vulnerability discovered by M.Awad in WordPress Plugin NEX-Forms versions = 8.7.15...

4.9CVSS8.1AI score0.00578EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2024/09/30 11:6 a.m.7 views

WordPress NEX-Forms plugin <= 8.7.3 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Le Ngoc Anh Patchstack Alliance in WordPress Plugin NEX-Forms versions = 8.7.3...

7.1CVSS6.1AI score0.00302EPSS
Exploits0Affected Software1
OSV
OSV
added 2024/02/29 1:43 a.m.4 views

CVE-2024-1130

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the setread function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with...

4.3CVSS5.8AI score0.00598EPSS
Exploits0References7
OSV
OSV
added 2024/02/29 1:43 a.m.4 views

CVE-2024-1129

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the setstarred function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with...

4.3CVSS5.8AI score0.00598EPSS
Exploits0References7
OSV
OSV
added 2023/07/17 2:15 p.m.5 views

CVE-2023-0439

The NEX-Forms WordPress plugin before 8.4.4 does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins in multisite / admins in single site can create forms, however there is a settings allowing them to give lower roles access to such featur...

5.4CVSS5.8AI score0.00367EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2023/07/17 12:0 a.m.9 views

PT-2023-16270 · WordPress · Nex-Forms

Name of the Vulnerable Software and Affected Versions: NEX-Forms WordPress plugin versions prior to 8.4.4 Description: The issue is related to Stored Cross-Site Scripting, which could be caused by the lack of proper escaping of the form name. This could potentially be exploited by users with acce...

5.4CVSS6AI score0.00367EPSS
Exploits1References3
OSV
OSV
added 2023/05/08 2:15 p.m.2 views

CVE-2023-2114

The NEX-Forms WordPress plugin before 8.4 does not properly escape the table parameter, which is populated with user input, before concatenating it to an SQL query...

7.2CVSS7.2AI score0.44629EPSS
Exploits3References2
Vulnrichment
Vulnrichment
added 2023/05/08 1:58 p.m.14 views

CVE-2023-2114 NEX-Forms < 8.4 - Admin+ SQL Injection

The NEX-Forms WordPress plugin before 8.4 does not properly escape the table parameter, which is populated with user input, before concatenating it to an SQL query...

7.3AI score0.44629EPSS
Exploits3References2
Positive Technologies
Positive Technologies
added 2023/05/08 12:0 a.m.12 views

PT-2023-17932 · WordPress · Nex-Forms

Name of the Vulnerable Software and Affected Versions: NEX-Forms WordPress plugin versions prior to 8.4 Description: The issue arises from improper escaping of the table parameter, which is populated with user input, before it is concatenated to an SQL query. Recommendations: For versions prior t...

7.2CVSS7.7AI score0.44629EPSS
Exploits3References4
GithubExploit
GithubExploit
added 2023/04/05 11:42 a.m.29 views

Exploit for SQL Injection in Basixonline Nex-Forms

nex-formsSQL-Injection CVE-2023-2114 https://vulners.com/cve/...

7.2CVSS8.4AI score0.44629EPSS
Exploits3
OSV
OSV
added 2023/03/27 4:15 p.m.4 views

CVE-2023-0272

The NEX-Forms WordPress plugin before 8.3.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

5.4CVSS6.7AI score0.00503EPSS
Exploits2References1
Exploit DB
Exploit DB
added 2023/03/25 12:0 a.m.215 views

NEX-Forms WordPress plugin &lt; 7.9.7 - Authenticated SQLi

Exploit Title: NEX-Forms WordPress plugin =5.0.12 AND time-based blind query SLEEP Payload: page=nex-forms-dashboard&formid=1 AND SELECT 4715 FROM SELECTSLEEP5nPUi...

8.8CVSS8.8AI score0.10375EPSS
Exploits5
NVD
NVD
added 2023/03/07 4:15 p.m.19 views

CVE-2020-36670

The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to...

6.3CVSS6AI score0.00554EPSS
Exploits0References3
Prion
Prion
added 2023/03/07 4:15 p.m.23 views

Design/Logic Flaw

The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to...

6.5CVSS6AI score0.00554EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2023/03/07 3:34 p.m.14 views

CVE-2020-36670 NEX-Forms <= 7.7.1 - Missing Authorization on Various AJAX Actions

The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to...

6.3CVSS6.6AI score0.00554EPSS
Exploits0References2
Rows per page
Query Builder