vulnerability

WordPress Plugin: nex-forms-express-wp-form-builder: CVE-2020-36670: Missing Authorization

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:S/C:P/I:P/A:P)	Nov 27, 2020	May 15, 2025	May 15, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:P/A:P)

Published

Nov 27, 2020

Added

May 15, 2025

Modified

May 15, 2025

Description

The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to invoke these functions which can be used to perform actions like modify form submission records, deleting files, sending test emails, modifying plugin settings, and more.

Solution

nex-forms-express-wp-form-builder-plugin-cve-2020-36670

References

URL-https://www.cve.org/CVERecord?id=CVE-2020-36670
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/01940eeb-b4a6-450d-b646-84f415ca92c9?source=api-prod
CVE-2020-36670
https://attackerkb.com/topics/CVE-2020-36670

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today