CVE-2023-2114

HIGH EPSS 98.6%

Published May 8, 20233y ago · Modified Jun 17, 20261w ago

7.2 CVSS 3.1

High

Published May 8, 2023 3y ago

Last Modified Jun 17, 2026 1w ago

Description

The NEX-Forms WordPress plugin before 8.4 does not properly escape the `table` parameter, which is populated with user input, before concatenating it to an SQL query.

CVSS Details

Base Score

7.2

Exploitability

1.2

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

98.6% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-89 SQL Injection Injection

Affected Products 1

Vendor	Product	Version	Range
basixonline	nex-forms	*	<8.4

References 2

github.com https://github.com/SchmidAlex/nex-forms_SQL-Injection

ExploitThird Party Advisory
wpscan.com https://wpscan.com/vulnerability/3d8ab3a5-1bf8-4216-91fa-e89541e5c43d

ExploitThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.