CVE-2022-3142
Summary
| CVE | CVE-2022-3142 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-09-19 14:15:00 UTC |
| Updated | 2023-11-07 03:50:00 UTC |
| Description | The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings. |
Risk And Classification
Problem Types: CWE-89
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Basixonline | Nex-forms | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Authenticated SQL injection vulnerability in “NEX Forms” Wordpress plugin | by Elias Hohl | Medium | medium.com | ||
| NEX-Forms < 7.9.7 - Authenticated SQLi WordPress Security Vulnerability | MISC | wpscan.com | |
| WordPress NEX-Forms SQL Injection ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Authenticated SQL injection vulnerability in “NEX Forms” Wordpress plugin | by Elias Hohl | Aug, 2022 | Medium | MISC | medium.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Elias Hohl
There are currently no legacy QID mappings associated with this CVE.