CyberSec.Space Logo
Back to CVE Browser

CVE-2020-36670

MEDIUM
6.3
CVSS Severity Score
EPSS Score0.0630%
EPSS Percentile38.88th
PublishedMar 7, 2023
Last ModifiedApr 8, 2026

Vulnerability Description

The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to invoke these functions which can be used to perform actions like modify form submission records, deleting files, sending test emails, modifying plugin settings, and more.

Affected Platforms (CPE)

πŸ“¦
Basixonline

Nex Forms

<= 7.7.1

References & Advisories

πŸ”— https://plugins.trac.wordpress.org/changeset/2427162/
πŸ”— https://www.wordfence.com/threat-intel/vulnerabilities/id/01940eeb-b4a6-450d-b646-84f415ca92c9?source=cve
πŸ”— https://plugins.trac.wordpress.org/changeset/2427162/
πŸ”— https://www.wordfence.com/threat-intel/vulnerabilities/id/01940eeb-b4a6-450d-b646-84f415ca92c9

Related Vulnerabilities

CVE-2015-94529.8

The nex-forms-express-wp-form-builder plugin before 4.6.1 for WordPress has SQL injection via the wp-admin/admin.php?page=nex-form...

CVE-2021-346767.5

Basix NEX-Forms through 7.8.7 allows authentication bypass for Excel report generation.

CVE-2021-346757.5

Basix NEX-Forms through 7.8.7 allows authentication bypass for stored PDF reports.

CVE-2014-71516.1

Multiple cross-site scripting (XSS) vulnerabilities in the NEX-Forms Lite plugin 2.1.0 for WordPress allow remote attackers to inj...