CyberSec.Space Logo
CVEブラウザに戻る

CVE-2020-36670

MEDIUM
6.3
CVSS Severity Score
EPSS Score0.0630%
EPSS Percentile38.88th
Published2023年3月7日
Last Modified2026年4月8日

Vulnerability Description

The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to invoke these functions which can be used to perform actions like modify form submission records, deleting files, sending test emails, modifying plugin settings, and more.

Affected Platforms (CPE)

📦
Basixonline

Nex Forms

<= 7.7.1

References & Advisories

🔗 https://plugins.trac.wordpress.org/changeset/2427162/
🔗 https://www.wordfence.com/threat-intel/vulnerabilities/id/01940eeb-b4a6-450d-b646-84f415ca92c9?source=cve
🔗 https://plugins.trac.wordpress.org/changeset/2427162/
🔗 https://www.wordfence.com/threat-intel/vulnerabilities/id/01940eeb-b4a6-450d-b646-84f415ca92c9

関連する脆弱性情報

CVE-2015-94529.8

The nex-forms-express-wp-form-builder plugin before 4.6.1 for WordPress has SQL injection via the wp-admin/admin.php?page=nex-form...

CVE-2021-346767.5

Basix NEX-Forms through 7.8.7 allows authentication bypass for Excel report generation.

CVE-2021-346757.5

Basix NEX-Forms through 7.8.7 allows authentication bypass for stored PDF reports.

CVE-2014-71516.1

Multiple cross-site scripting (XSS) vulnerabilities in the NEX-Forms Lite plugin 2.1.0 for WordPress allow remote attackers to inj...