WordPress Plugin Vulnerabilities

NEX-Forms - Ultimate Form builder <= 3.0 - SQL Injection

Description

The NEX-Forms – Ultimate Form Builder – Contact forms and much more WordPress plugin was affected by an Ultimate Form builder <= 3.0 - SQL Injection security vulnerability.

Affects Plugins

Plugin icon
nex-forms-express-wp-form-builder
Fixed in 3.1

References

Exploitdb
36800
URL
https://packetstormsecurity.com/files/#131540/
URL
https://packetstormsecurity.com/files/#131553/
URL
https://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
136f0f1e-6472-4cc4-af93-d86798acf9a0

Timeline

Publicly Published
2015-04-21 (about 11 years ago)
Added
2015-04-21 (about 11 years ago)
Last Updated
2019-10-21 (about 6 years ago)

Other

Published
Title
Published
2025-02-11
Title
LTL Freight Quotes – XPO Edition < 4.3.8 - Unauthenticated SQL Injection
Published
2024-03-28
Title
WP ERP < 1.30.0 - Authenticated (Accounting Manager+) SQL Injection via id
Published
2021-11-01
Title
myCred < 2.3 - Subscriber+ SQL Injection
Published
2022-05-20
Title
Export any WordPress data to XML/CSV < 1.3.5 - Admin+ SQL Injection
Published
2022-10-31
Title
Event Monster < 1.2.1 - Admin+ SQLi