Vulnerability Description
The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Basixonline | Nex-Forms | < 7.9.7 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/171477/WordPress-NEX-Forms-SQL-Injection.ht
- https://medium.com/%40elias.hohl/authenticated-sql-injection-vulnerability-in-ne
- https://wpscan.com/vulnerability/8acc0fc6-efe6-4662-b9ac-6342a7823328ExploitThird Party Advisory
- http://packetstormsecurity.com/files/171477/WordPress-NEX-Forms-SQL-Injection.ht
- https://medium.com/%40elias.hohl/authenticated-sql-injection-vulnerability-in-ne
- https://wpscan.com/vulnerability/8acc0fc6-efe6-4662-b9ac-6342a7823328ExploitThird Party Advisory
FAQ
What is CVE-2022-3142?
CVE-2022-3142 is a vulnerability with a CVSS score of 8.8 (HIGH). The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is p...
How severe is CVE-2022-3142?
CVE-2022-3142 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-3142?
Check the references section above for vendor advisories and patch information. Affected products include: Basixonline Nex-Forms.