SQL Injection in Basixonline Nex-forms

CVE-2022-3142

The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics c…

Vulnerability class: SQL Injection

EPSS: 0.104 (95.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

  • Basixonline Nex-forms
  • Unknown Nex-forms – Ultimate Form Builder Contact Forms And Much More — versions 7.9.7

Weakness classification (CWE)

Public proof-of-concept exploits

References

Frequently asked questions

What is CVE-2022-3142?
CVE-2022-3142 is a high-severity vulnerability in Basixonline Nex-forms, classified under SQL Injection. CVSS score: 8.8/10. Published 2022-09-19.
How severe is CVE-2022-3142?
High severity. CVSS v3 base score is 8.8 out of 10.
Is CVE-2022-3142 known to be exploited?
4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.