CVE-2023-0439 β€” Cross-site Scripting in Nex-forms

CWE-79 β€” Cross-site Scripting3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.1%
top 69.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Basixonline Nex-forms
Timeline
PublishedJul 17

Description

The NEX-Forms WordPress plugin before 8.4.4 does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins (in multisite) / admins (in single site) can create forms, however there is a settings allowing them to give lower roles access to such feature.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

β–ΆNVDbasixonline/nex-forms< 8.4.4

πŸ”΄Vulnerability Details

2
GHSA
GHSA-42c6-gcr4-xh6h: The NEX-Forms WordPress plugin before 8β†—2023-07-17
β–Ά
CVEList
NEX-Forms < 8.4.4 - Authenticated Stored XSS↗2023-07-17
β–Ά
CVE-2023-0439 β€” Cross-site Scripting in Nex-forms | cvebase