Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-3142SQL Injection in Nex-forms

CWE-89SQL Injection5 documents5 sources
Severity
8.8HIGHNVD
EPSS
8.0%
top 7.87%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Basixonline Nex-forms
Timeline
PublishedSep 19
Latest updateMar 25

Description

The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-5www-q64q-vx68: The NEX-Forms WordPress plugin before 72022-09-20
CVEList
NEX-Forms < 7.9.7 - Authenticated SQLi2022-09-19

💥Exploits & PoCs

2
Exploit-DB
NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi2023-03-25
Nuclei
NEX-Forms Plugin < 7.9.7 - SQL Injection
CVE-2022-3142 — SQL Injection in Basixonline Nex-forms | cvebase