CVE-2024-1129 — Missing Authorization in Nex-forms

CWE-862 — Missing Authorization CWE-20 — Improper Input Validation4 documents4 sources

Severity

4.3MEDIUMNVD

CNA5.3

EPSS

0.3%

top 49.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Basixonline Nex-forms Webaways Nex-forms Ultimate Forms Plugin FOR Wordpress

Timeline

PublishedFeb 29

Latest updateSep 4

Description

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the set_starred() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark records as starred.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5webaways/nex-forms_ultimate_forms_plugin_for_wordpress8.5.6

▶NVDbasixonline/nex-forms< 8.5.7

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-635w-7jgp-9rf7: The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capabil↗2024-02-29

▶

CVEList

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 - Missing Authorization via set_starred()↗2024-02-01

▶

📋Vendor Advisories

Red Hat

kernel: mm, slub: do not call do_slab_free for kfence object↗2024-09-04

▶