CVE-2022-3142: 
WordPress vulnerability analysis and mitigation

The NEX-Forms WordPress plugin before version 7.9.7 contains a SQL injection vulnerability (CVE-2022-3142) discovered in August 2022. The vulnerability affects the form statistics chart functionality and can be exploited by authenticated users who have permission to view form statistics, which by default is restricted to administrators but can be configured differently through plugin settings (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of user input in SQL statements within the printchart function located in includes/classes/class.dashboard.php. The issue occurs because the prepare function is misused, with the formid variable being directly concatenated into the SQL query string without proper sanitization. The vulnerability can be exploited through the /wp-admin/admin.php?page=nex-forms-dashboard endpoint. The CVSS v3.1 base score is 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Medium Blog, NVD).

Successful exploitation of this vulnerability could allow attackers to interact directly with the database, potentially leading to unauthorized access to sensitive information, modification of database contents, and compromise of the WordPress installation. The vulnerability is particularly concerning as it affects a plugin with approximately 10,000 active installations (Medium Blog).

The vulnerability has been patched in version 7.9.7 of the NEX-Forms plugin. Users are advised to update to this version or later to resolve the security issue. The fix involves proper implementation of prepared SQL statements as recommended by the researcher (WPScan, Medium Blog).