CVE-2022-3142

HIGH NUCLEI

Basixonline Nex-forms < 7.9.7 - SQL Injection

Title source: rule

Description

The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Elias Hohl · textwebappsphp

https://www.exploit-db.com/exploits/51042

View Code ZIP pw:eip

Nuclei Templates (1)

NEX-Forms Plugin < 7.9.7 - SQL Injection

HIGHVERIFIEDby r3Y3r53

Shodan: http.html:/wp-content/plugins/nex-forms-express-wp-form-builder/

FOFA: body=/wp-content/plugins/nex-forms-express-wp-form-builder/

References (3)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/171477/WordPress-NEX-Forms-SQL-Injection.html

[Various Sources] https://medium.com/%40elias.hohl/authenticated-sql-injection-vulnerability-in-nex-forms-wordpress-plugin-35b8558dd0f5

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/8acc0fc6-efe6-4662-b9ac-6342a7823328

Scores

CVSS v3 8.8

EPSS 0.0804

EPSS Percentile 92.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

basixonline/nex-forms < 7.9.7

Published Sep 19, 2022

Tracked Since Feb 18, 2026