WordPress Plugin Vulnerabilities

NEX-Forms – Ultimate Form Builder – Contact forms and much more < 8.5.7 - Missing Authorization via set_read()

Description

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the set_read() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark records as read.

Affects Plugins

Plugin icon
nex-forms-express-wp-form-builder
Fixed in 8.5.7

References

CVE
CVE-2024-1130
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c3b646-d865-4425-bc8f-00b3555a3d74

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
d99c4209-7a79-4c35-a5c4-1d45fd5d8ac9

Timeline

Publicly Published
2024-01-31 (about 2 years ago)
Added
2024-01-31 (about 2 years ago)
Last Updated
2024-01-31 (about 2 years ago)

Other

Published
Title
Published
2025-12-30
Title
JetEngine < 3.8.1.2 - Missing Authorization
Published
2026-02-11
Title
FullCalendar <= 1.6 - Missing Authorization
Published
2024-03-08
Title
HT Easy GA4 – Google Analytics WordPress Plugin < 1.2.0 - Missing Authorization to Unauthenticated GA4 Email Update
Published
2025-04-17
Title
JetElements For Elementor < 2.7.4.2 - Missing Authorization
Published
2024-04-16
Title
Support Genix < 1.2.4 - Missing Authorization