CVE-2022-3142

HIGH NUCLEI

NEX-Forms < 7.9.7 - Authenticated SQL Injection via Forms Statistics Chart

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-3142. PoCs published by Elias Hohl. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a writeup describing an authenticated SQL injection vulnerability in the NEX-Forms WordPress plugin. It provides steps to reproduce the vulnerability using sqlmap for time-based blind SQLi exploitation.

Description

The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Elias Hohl · textwebappsphp
https://www.exploit-db.com/exploits/51042

This is a writeup describing an authenticated SQL injection vulnerability in the NEX-Forms WordPress plugin. It provides steps to reproduce the vulnerability using sqlmap for time-based blind SQLi exploitation.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: NEX-Forms WordPress plugin < 7.9.7
Auth required
Prerequisites: WordPress instance with NEX-Forms plugin installed · Authenticated user access · Burp Suite or similar tool to capture request
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

NEX-Forms Plugin < 7.9.7 - SQL Injection
HIGHVERIFIEDby r3Y3r53
Shodan: http.html:/wp-content/plugins/nex-forms-express-wp-form-builder/
FOFA: body=/wp-content/plugins/nex-forms-express-wp-form-builder/

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.1027
EPSS Percentile 95.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
basixonline/nex-forms < 7.9.7
Published Sep 19, 2022
Tracked Since Feb 18, 2026