CVE-2020-36670: 
WordPress vulnerability analysis and mitigation

The NEX-Forms plugin for WordPress (versions up to and including 7.7.1) contains a vulnerability identified as CVE-2020-36670. This security flaw stems from missing capability checks on several AJAX actions, which was disclosed on March 7, 2023 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.3 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. The technical analysis indicates that the vulnerability is characterized by network attack vector, low attack complexity, requires low privileges, needs no user interaction, and has an unchanged scope with low impact on confidentiality, integrity, and availability (NVD).

The vulnerability allows authenticated attackers with subscriber level permissions or higher to perform unauthorized actions including modification of form submission records, deletion of files, sending test emails, and modification of plugin settings. This represents a significant breach of access control mechanisms that could lead to unauthorized data manipulation and system configuration changes (NVD).

A patch has been released to address this vulnerability. Users are advised to update their NEX-Forms plugin to a version newer than 7.7.1 to mitigate the security risk (WordPress Patch).