The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to invoke these functions which can be used to perform actions like modify form submission records, deleting files, sending test emails, modifying plugin settings, and more.
References
Link | Resource |
---|---|
https://plugins.trac.wordpress.org/changeset/2427162/ | Patch |
https://www.wordfence.com/threat-intel/vulnerabilities/id/01940eeb-b4a6-450d-b646-84f415ca92c9 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Wordfence
Published: 2023-03-07T15:34:03.433Z
Updated: 2023-03-07T15:34:03.433Z
Reserved: 2023-03-07T15:33:56.028Z
Link: CVE-2020-36670
JSON object: View
NVD Information
Status : Modified
Published: 2023-03-07T16:15:09.267
Modified: 2023-11-07T03:22:26.880
Link: CVE-2020-36670
JSON object: View
Redhat Information
No data.
CWE
No CWE.