WordPress Plugin Vulnerabilities

NEX Forms < 7.8.8 - Authentication Bypass for PDF Reports

Description

The plugin was vulnerable to Authentication Bypass for PDF Reports allowing unauthenticated attackers to download PDF reports.

Proof of Concept

Affects Plugins

Plugin icon
nex-forms
Fixed in 7.8.8

References

CVE
CVE-2021-34675
URL
https://codecanyon.net/item/nexforms-the-ultimate-wordpress-form-builder/7103891
URL
https://github.com/rauschecker/CVEs/tree/main/CVE-2021-34675
URL
http://basixonline.net/nex-forms-wordpress-form-builder-demo/change-log/

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
rauschecker
Verified
No
WPVDB ID
0a381f83-056f-4f32-a1ad-0b128f5c8818

Timeline

Publicly Published
2021-07-20 (about 4 years ago)
Added
2021-07-20 (about 4 years ago)
Last Updated
2022-04-12 (about 4 years ago)

Other

Published
Title
Published
2019-07-05
Title
WP Like Button < 1.6.4 - Auth Bypass
Published
2025-09-29
Title
LatePoint < 5.2.0 - Unauthenticated Authentication Bypass
Published
2025-07-25
Title
MelaPress Login Security 2.1.0 - 2.1.1 - Privilege Escalation via Authentication Bypass
Published
2014-08-01
Title
Spam Free Plugin 1.9.2 - IP Blocklist Restriction Bypass
Published
2024-10-25
Title
Meetup <= 0.1 - Authentication Bypass