cbcvebase.
CVE-2022-3142
published 2022-09-19

CVE-2022-3142: The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.38%
95.2th percentile
The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.

Affected

1 ranges
VendorProductVersion rangeFixed in
basixonlinenex-forms< 7.9.77.9.7

Detection & IOCsextracted from sources · hover to see the quote

urlpage=nex-forms-dashboard&form_id=1 AND (SELECT 4715 FROM (SELECT(SLEEP(5)))nPUi)
commandAND (SELECT 4715 FROM (SELECT(SLEEP(5)))nPUi)
  • ·The attack surface may extend beyond administrators if the plugin is configured to allow lower-privileged users to view forms statistics charts.
  • ·The vulnerability affects NEX-Forms plugin versions before 7.9.7; the exploit PoC was demonstrated on version 5.0.12.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.