81 matches found
CVE-2024-13498 NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.8.1 - Unauthenticated Sensitive Information Exposure
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.8.1 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This make...
CVE-2024-13498
CVE-2024-13498 involves the WordPress plugin NEX-Forms – Ultimate Form Builder, where unauthenticated attackers can exfiltrate sensitive data via file uploads in all versions up to 8.8.1 due to insufficient directory listing protection and non-randomized file names. The issue is confirmed in conn...
CVE-2024-10862
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to SQL Injection via the 'searchparams' parameter in all versions up to, and including, 8.7.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t...
CVE-2024-10862
CVE-2024-10862 affects the WordPress plugin “NEX-Forms – Ultimate Form Builder”. The issue is an authenticated SQL Injection via the search_params parameter in the affected queries, exploitable in versions up to 8.7.13 (and disclosed under authenticated admin context). Root cause: insufficient es...
CVE-2024-10862 NEX-Forms <= 8.7.15 - Authenticated (Admin+) SQL Injection
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to SQL Injection via the 'searchparams' parameter in all versions up to, and including, 8.7.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t...
WordPress NEX-Forms plugin <= 8.7.15 - Authenticated (Admin+) SQL Injection vulnerability
Authenticated Admin+ SQL Injection vulnerability discovered by M.Awad in WordPress Plugin NEX-Forms versions = 8.7.15...
WordPress NEX-Forms plugin <= 8.7.3 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting XSS vulnerability discovered by Le Ngoc Anh Patchstack Alliance in WordPress Plugin NEX-Forms versions = 8.7.3...
CVE-2024-1130
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the setread function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with...
CVE-2024-1129
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the setstarred function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with...
CVE-2023-0439
The NEX-Forms WordPress plugin before 8.4.4 does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins in multisite / admins in single site can create forms, however there is a settings allowing them to give lower roles access to such featur...
PT-2023-16270 · WordPress · Nex-Forms
Name of the Vulnerable Software and Affected Versions: NEX-Forms WordPress plugin versions prior to 8.4.4 Description: The issue is related to Stored Cross-Site Scripting, which could be caused by the lack of proper escaping of the form name. This could potentially be exploited by users with acce...
CVE-2023-2114
The NEX-Forms WordPress plugin before 8.4 does not properly escape the table parameter, which is populated with user input, before concatenating it to an SQL query...
CVE-2023-2114 NEX-Forms < 8.4 - Admin+ SQL Injection
The NEX-Forms WordPress plugin before 8.4 does not properly escape the table parameter, which is populated with user input, before concatenating it to an SQL query...
PT-2023-17932 · WordPress · Nex-Forms
Name of the Vulnerable Software and Affected Versions: NEX-Forms WordPress plugin versions prior to 8.4 Description: The issue arises from improper escaping of the table parameter, which is populated with user input, before it is concatenated to an SQL query. Recommendations: For versions prior t...
Exploit for SQL Injection in Basixonline Nex-Forms
nex-formsSQL-Injection CVE-2023-2114 https://vulners.com/cve/...
CVE-2023-0272
The NEX-Forms WordPress plugin before 8.3.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi
Exploit Title: NEX-Forms WordPress plugin =5.0.12 AND time-based blind query SLEEP Payload: page=nex-forms-dashboard&formid=1 AND SELECT 4715 FROM SELECTSLEEP5nPUi...
CVE-2020-36670
The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to...
Design/Logic Flaw
The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to...
CVE-2020-36670 NEX-Forms <= 7.7.1 - Missing Authorization on Various AJAX Actions
The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to...