WordPress Plugin Vulnerabilities

NEX Forms < 7.8.8 - Authentication Bypass for Excel Reports

Description

The plugin was vulnerable to Authentication Bypass for Excel Reports allowing unauthenticated attackers to download Excel reports.

Proof of Concept

Affects Plugins

Plugin icon
nex-forms
Fixed in 7.8.8

References

CVE
CVE-2021-34676
URL
https://codecanyon.net/item/nexforms-the-ultimate-wordpress-form-builder/7103891
URL
https://github.com/rauschecker/CVEs/tree/main/CVE-2021-34676
URL
http://basixonline.net/nex-forms-wordpress-form-builder-demo/change-log/

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
rauschecker
Verified
No
WPVDB ID
d7e6bf88-1912-42e3-8139-9a606ed2989f

Timeline

Publicly Published
2021-07-20 (about 4 years ago)
Added
2021-07-20 (about 4 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2025-10-31
Title
Mstoreapp Mobile (App <= 2.08, Multivendor <= 9.0.1) - Unauthenticated Privilege Escalation
Published
2018-10-20
Title
Accelerated Mobile Pages <= 0.9.97.19 - Multiple Unauthenticated Vulnerabilities
Published
2026-03-09
Title
Tutor LMS Pro < 3.9.6 - Authentication Bypass via Social Login
Published
2023-11-27
Title
Swift Performance Lite <= 2.3.6.14 - Unauthenticated Configuration Export
Published
2014-08-01
Title
AdminOnline - download.php file Parameter Remote Path Traversal File Access