cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-10862,https://securityvulnerability.io/vulnerability/CVE-2024-10862,SQL Injection Vulnerability in NEX-Forms Plugin for WordPress,"An SQL injection vulnerability has been discovered in the NEX-Forms - Ultimate Form Builder plugin for WordPress, affecting all versions up to and including 8.7.13. This vulnerability arises due to inadequate escaping mechanisms for user-supplied input in the 'search_params' parameter, coupled with insufficient safeguards in the existing SQL query structure. As a result, unauthorized attackers are able to inject additional SQL commands, potentially leading to the extraction of sensitive database information. Furthermore, the absence of proper nonce validation on the get_table_records AJAX action heightens the risk of CSRF exploits, allowing attackers to perform unauthorized actions without user consent.",Wordpress,Nex-forms – Ultimate Form Builder – Contact Forms And Much More,4.9,MEDIUM,0.0004900000058114529,false,,false,false,false,,false,false,2024-12-25T06:42:14.009Z,0
CVE-2024-0907,https://securityvulnerability.io/vulnerability/CVE-2024-0907,Unauthorized Access in NEX-Forms Plugin for WordPress,"The NEX-Forms – Ultimate Form Builder plugin for WordPress is susceptible to unauthorized access due to a lack of capability checks within the restore_records() function. This vulnerability affects all versions up to and including 8.5.6, enabling authenticated users with subscriber-level access or higher to restore sensitive records. This issue poses a risk to the integrity of user data, as unauthorized users could exploit this oversight to gain access to information that should be protected.",Wordpress,NEX-Forms – Ultimate Form Builder – Contact forms and much more,4.3,MEDIUM,0.0007200000109151006,false,,false,false,false,,false,false,2024-02-29T01:43:00.000Z,0
CVE-2024-1129,https://securityvulnerability.io/vulnerability/CVE-2024-1129,Unauthorized Access in NEX-Forms Ultimate Form Builder Plugin for WordPress,"The NEX-Forms – Ultimate Form Builder plugin for WordPress exhibits a vulnerability that allows authenticated users, particularly those with subscriber-level access and higher, to exploit a missing capability check in the set_starred() function. This flaw is present in versions up to and including 8.5.6, enabling unauthorized manipulation of records, which could have significant impacts on data integrity and security. Users are urged to update to the latest version to mitigate potential risks.",Wordpress,Nex-forms – Ultimate Form Builder – Contact Forms And Much More,4.3,MEDIUM,0.0007200000109151006,false,,false,false,false,,false,false,2024-02-29T01:43:00.000Z,0
CVE-2024-1130,https://securityvulnerability.io/vulnerability/CVE-2024-1130,Unauthorized Access in NEX-Forms Plugin for WordPress,"The NEX-Forms – Ultimate Form Builder plugin for WordPress contains a security flaw that allows authenticated attackers, with subscriber-level access or higher, to bypass necessary capability checks in the set_read() function. This vulnerability, present in all versions up to and including 8.5.6, potentially grants attackers the ability to mark records as read, leading to unauthorized access to sensitive information. Users of this plugin are advised to upgrade to version 8.5.7 or later to mitigate this risk.",Wordpress,NEX-Forms – Ultimate Form Builder – Contact forms and much more,4.3,MEDIUM,0.0007200000109151006,false,,false,false,false,,false,false,2024-02-29T01:43:00.000Z,0
CVE-2023-0439,https://securityvulnerability.io/vulnerability/CVE-2023-0439,NEX-Forms < 8.4.4 - Authenticated Stored XSS,"The NEX-Forms WordPress plugin before 8.4.4 does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins (in multisite) / admins (in single site) can create forms, however there is a settings allowing them to give lower roles access to such feature.",Wordpress,Nex-forms,5.4,MEDIUM,0.0004799999878741801,false,,false,false,false,,false,false,2023-07-17T14:15:00.000Z,0
CVE-2023-2114,https://securityvulnerability.io/vulnerability/CVE-2023-2114,NEX-Forms < 8.4 - Admin+ SQL Injection,"The NEX-Forms plugin for WordPress, prior to version 8.4, contains a vulnerability that arises from the improper handling of the `table` parameter, which accepts user input. This weakness can lead to SQL injection, allowing attackers to manipulate SQL queries executed by the application. The lack of proper sanitization of the user input opens pathways for unauthorized data access and could compromise the integrity of the database.",Wordpress,NEX-Forms,7.2,HIGH,0.0019399999873712659,false,,false,false,true,true,false,false,2023-05-08T14:15:00.000Z,0
CVE-2023-0272,https://securityvulnerability.io/vulnerability/CVE-2023-0272,NEX-Forms < 8.3.3 - Contributor+ Stored XSS,"The NEX-Forms WordPress plugin before 8.3.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks",Wordpress,NEX-Forms,5.4,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2023-03-27T16:15:00.000Z,0
CVE-2020-36670,https://securityvulnerability.io/vulnerability/CVE-2020-36670,Unauthorized Data Disclosure and Modification in NEX-Forms Plugin for WordPress,"The NEX-Forms plugin for WordPress has a vulnerability that allows authenticated attackers, even those with minimal permissions (subscriber level), to exploit missing capability checks on certain AJAX actions. This can lead to unauthorized data manipulation, including the ability to modify form submission records, delete files, send test emails, and alter plugin settings. Such flaws underline the need for robust authentication and careful management of user permissions to prevent misuse.",Wordpress,Nex-forms – Ultimate Form Builder – Contact Forms And Much More,6.3,MEDIUM,0.0006399999838322401,false,,false,false,false,,false,false,2023-03-07T15:34:03.433Z,0
CVE-2022-3142,https://securityvulnerability.io/vulnerability/CVE-2022-3142,NEX-Forms < 7.9.7 - Authenticated SQLi,"The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.",Wordpress,Nex-forms – Ultimate Form Builder – Contact Forms And Much More,8.8,HIGH,0.006120000034570694,false,,false,false,false,,false,false,2022-09-19T00:00:00.000Z,0
CVE-2021-24705,https://securityvulnerability.io/vulnerability/CVE-2021-24705,NEX-Forms < 8.4.3 - Stored Cross-Site Scripting via CSRF,"The NEX-Forms WordPress plugin before 8.4.3 does not have CSRF checks in place when editing a form, and does not escape some of its settings as well as form fields before outputting them in attributes. This could allow attackers to make a logged in admin edit arbitrary forms with Cross-Site Scripting payloads in them",Wordpress,Nex-forms,4.8,MEDIUM,0.0005099999834783375,false,,false,false,false,,false,false,2021-12-13T10:40:44.000Z,0
CVE-2015-9452,https://securityvulnerability.io/vulnerability/CVE-2015-9452,,The nex-forms-express-wp-form-builder plugin before 4.6.1 for WordPress has SQL injection via the wp-admin/admin.php?page=nex-forms-main nex_forms_Id parameter.,Wordpress,Nex-forms - Ultimate Form Builder,9.8,CRITICAL,0.002360000042244792,false,,false,false,false,,false,false,2019-10-07T14:19:48.000Z,0
CVE-2014-7151,https://securityvulnerability.io/vulnerability/CVE-2014-7151,,Multiple cross-site scripting (XSS) vulnerabilities in the NEX-Forms Lite plugin 2.1.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the form_fields parameter in a (1) do_edit or (2) do_insert action to wp-admin/admin-ajax.php.,Wordpress,Nex-forms Lite,6.1,MEDIUM,0.002050000010058284,false,,false,false,false,,false,false,2016-01-08T21:00:00.000Z,0