CVE-2020-36670 — Missing Authorization in Nex-forms Ultimate Forms Plugin FOR Wordpress

CWE-862 — Missing Authorization3 documents3 sources

Severity

6.3MEDIUMNVD

EPSS

0.2%

top 54.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Webaways Nex-forms Ultimate Forms Plugin FOR Wordpress Basixonline Nex-forms

Timeline

PublishedMar 7

Description

The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to invoke these functions which can be used to perform actions like modify form submission records, deleting files, sending test emails, modifying plugin settings, and more.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages2 packages

▶CVEListV5webaways/nex-forms_ultimate_forms_plugin_for_wordpress7.7.1

▶NVDbasixonline/nex-forms7.7.1

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-934x-9h25-m7fx: The NEX-Forms↗2023-03-07

▶

CVEList

NEX-Forms <= 7.7.1 - Missing Authorization on Various AJAX Actions↗2023-03-07

▶