WordPress Plugin Vulnerabilities

NEX-Forms – Ultimate Form Builder – Contact forms and much more < 8.8.2 - Unauthenticated Sensitive Information Exposure

Description

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.8.1 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form.

Affects Plugins

Plugin icon
nex-forms-express-wp-form-builder
Fixed in 8.8.2

References

CVE
CVE-2024-13498
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f188a5e6-699e-4e1a-b4e4-7fb4056b0bee

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Tim Coen
Verified
No
WPVDB ID
a7a5e6a1-02f2-4f8d-8587-ab2d0a1969e5

Timeline

Publicly Published
2025-03-11 (about 1 year ago)
Added
2025-03-11 (about 1 year ago)
Last Updated
2025-03-12 (about 1 year ago)

Other

Published
Title
Published
2023-10-16
Title
simple-download-button-shortcode <= 1.1.1 - Sensitive Data Disclosure
Published
2025-12-02
Title
MxChat – AI Chatbot for WordPress < 2.5.6 - Unauthenticated Information Exposure
Published
2021-08-23
Title
Timetable and Event Schedule by MotoPress < 2.4.0 - Arbitrary User's Hashed Password/Email/Username Disclosure
Published
2024-11-19
Title
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce < 6.0.4 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Published
2023-10-16
Title
Front End PM < 11.4.3 - Sensitive Data Exposure via Directory Listing