cleantalk
Vulnerabilities and Security Researches

NEX-Forms – Ultimate Form Builder – Contact forms and much more, CVE-2023-0439

CVE, Research URL

CVE-2023-0439

Home page URL

Security reports for NEX-Forms – Ultimate Form Builder – Contact forms and much more

Application

NEX-Forms – Ultimate Form Builder – Contact forms and much more

Published on
Jul 17, 2023
Research Description
The NEX-Forms WordPress plugin before 8.4.4 does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins (in multisite) / admins (in single site) can create forms, however there is a settings allowing them to give lower roles access to such feature.
Affected versions
Min -, max 3.1.
Status
vulnerable
Previous vulnerability researches
NEX-Forms – Ultimate Form Builder – Contact forms and much more (CVE-2020-36670) , Jun 10, 2024
NEX-Forms – Ultimate Form Builder – Contact forms and much more (CVE-2024-10862) , Dec 25, 2024
NEX-Forms – Ultimate Form Builder – Contact forms and much more (CVE-2024-13498) , Mar 13, 2025
NEX-Forms – Ultimate Form Builder – Contact forms and much more (CVE-2015-9452) , Jun 07, 2024
NEX-Forms – Ultimate Form Builder – Contact forms and much more (CVE-2023-2114) , Jun 07, 2024
New vulnerability
Business Directory Plugin – Easy Listing Directories for WordPress (CVE-2024-13887) , Mar 14, 2025
AppPresser – Mobile App Framework (CVE-2025-1561) , Mar 14, 2025
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (CVE-2025-1119) , Mar 14, 2025
CRM and Lead Management by vcita (CVE-2024-13703) , Mar 14, 2025
WP Recipe Maker (CVE-2025-1503) , Mar 14, 2025