CVE-2023-2114

HIGH

NEX-Forms < 8.4 - SQL Injection via Table Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-2114. PoCs published by SchmidAlex.

AI-analyzed exploit summary This repository provides a writeup and screenshots detailing an SQL injection vulnerability (CVE-2023-2114) in the NEX-Forms WordPress plugin. The vulnerability exists in the 'table' parameter during form editing and affects versions 8.3 to 8.4.

Description

The NEX-Forms WordPress plugin before 8.4 does not properly escape the `table` parameter, which is populated with user input, before concatenating it to an SQL query.

Exploits (1)

nomisec WRITEUP 2 stars

by SchmidAlex · poc

https://github.com/SchmidAlex/nex-forms_SQL-Injection-CVE-2023-2114

View Code ZIP pw:eip

This repository provides a writeup and screenshots detailing an SQL injection vulnerability (CVE-2023-2114) in the NEX-Forms WordPress plugin. The vulnerability exists in the 'table' parameter during form editing and affects versions 8.3 to 8.4.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: NEX-Forms WordPress Plugin versions 8.3 to 8.4

Auth required

Prerequisites: Authenticated access to the WordPress admin panel · NEX-Forms plugin version 8.3 to 8.4

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/SchmidAlex/nex-forms_SQL-Injection

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/3d8ab3a5-1bf8-4216-91fa-e89541e5c43d

Scores

CVSS v3 7.2

EPSS 0.4304

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (1)

basixonline/nex-forms < 8.4

Published May 08, 2023

Tracked Since Feb 18, 2026