CVE-2022-3142 Scanner
CVE-2022-3142 scanner - SQL Injection vulnerability in NEX-Forms
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
4 weeks
Scan only one
Domain, IPv4, Subdomain
Toolbox
-
NEX-Forms is a powerful and comprehensive form builder plugin for WordPress, designed to help users create and manage interactive forms for their websites easily. It is used by website owners, bloggers, and businesses to gather information from their visitors through customized forms, including contact forms, feedback surveys, and registration forms. This plugin provides a wide range of features such as drag-and-drop form building, responsive design, and advanced analytics, making it a popular choice for creating professional-looking forms without requiring coding skills.
The SQL Injection vulnerability in versions of NEX-Forms before 7.9.7 arises from the plugin's failure to adequately sanitize and escape user inputs before incorporating them into SQL queries. This security flaw allows attackers with access to the forms statistics chart, typically administrators or users with specific permissions set through plugin settings, to inject malicious SQL code. This could lead to unauthorized access to the website's database, data leakage, or manipulation.
Specifically, the vulnerability is located in the functionality that generates the forms statistics chart within the NEX-Forms dashboard. An attacker can exploit this by manipulating form IDs in requests to execute arbitrary SQL commands. The lack of proper input validation and parameterized queries allows the injection of SQL code, which can be executed by the database server, potentially compromising the integrity and confidentiality of the stored data.
Exploitation of this SQL Injection vulnerability could have severe consequences, including unauthorized access to sensitive data stored in the WordPress database, such as user information, passwords, and private form submissions. Attackers could also manipulate or delete data, leading to disruption of website operations and loss of trust among users. In extreme cases, it could facilitate further attacks on the website or its users.
S4E's advanced scanning technology enables you to identify and rectify vulnerabilities like SQL Injection in your WordPress plugins, ensuring your website remains secure against potential cyber-attacks. By becoming a member, you gain access to comprehensive vulnerability assessments, regular updates on new threats, and expert recommendations for maintaining a robust security posture. Protect your digital assets and build trust with your users by leveraging the proactive cyber threat management services offered by S4E.
References
- https://wpscan.com/vulnerability/8acc0fc6-efe6-4662-b9ac-6342a7823328/
- https://www.exploit-db.com/exploits/51042
- https://nvd.nist.gov/vuln/detail/CVE-2022-3142
- http://packetstormsecurity.com/files/171477/WordPress-NEX-Forms-SQL-Injection.html
- https://medium.com/%40elias.hohl/authenticated-sql-injection-vulnerability-in-nex-forms-wordpress-plugin-35b8558dd0f5