CVE-2024-0907 — Missing Authorization in Nex-forms

CWE-862 — Missing Authorization3 documents3 sources

Severity

4.3MEDIUMNVD

CNA5.3

EPSS

0.7%

top 28.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Basixonline Nex-forms Webaways Nex-forms Ultimate Forms Plugin FOR Wordpress

Timeline

PublishedFeb 29

Description

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the restore_records() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to restore records.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5webaways/nex-forms_ultimate_forms_plugin_for_wordpress8.5.6

▶NVDbasixonline/nex-forms< 8.5.7

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-76cr-x9wq-mm5r: The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capabil↗2024-02-29

▶

CVEList

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 - Missing Authorization via restore_records()↗2024-02-01

▶