CVE-2020-36670
First published: Tue Mar 07 2023(Updated: )
The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to invoke these functions which can be used to perform actions like modify form submission records, deleting files, sending test emails, modifying plugin settings, and more.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Basix NEX-Forms – Ultimate Form Builder | <=7.7.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-36670?
CVE-2020-36670 has a medium severity level due to the potential for unauthorized data disclosure and modification.
How do I fix CVE-2020-36670?
To fix CVE-2020-36670, update the NEX-Forms plugin to version 7.7.2 or later.
Who is affected by CVE-2020-36670?
Authenticated users with subscriber level permissions and above are affected by CVE-2020-36670.
What actions are vulnerable in CVE-2020-36670?
The vulnerability in CVE-2020-36670 is due to missing capability checks on several AJAX actions in the plugin.
Which versions of NEX-Forms are impacted by CVE-2020-36670?
Versions of NEX-Forms up to and including 7.7.1 are impacted by CVE-2020-36670.
- agent/type
- agent/references
- agent/softwarecombine
- agent/weakness
- agent/severity
- agent/remedy
- agent/author
- agent/first-publish-date
- agent/event
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/basixonline
- canonical/basix nex-forms – ultimate form builder
- version/basix nex-forms – ultimate form builder/7.7.1