CVE-2023-50838: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2023-50838) was discovered in Basix NEX-Forms – Ultimate Form Builder – Contact forms and much more, affecting versions through 8.5.5. The vulnerability was reported on December 28, 2023, and received a CVSS v3.1 base score of 7.2 (HIGH) from NVD and 7.6 (HIGH) from Patchstack (NVD, Patchstack).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). It received two different CVSS v3.1 vector strings: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H from NVD and CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L from Patchstack, both indicating a high severity issue (NVD).

The SQL Injection vulnerability could allow malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information. The high CVSS scores indicate significant potential impact on the confidentiality, integrity, and availability of the affected system (Patchstack).

The vulnerability has been patched in version 8.5.6 of the NEX-Forms Ultimate Form Builder plugin. Users are advised to update to version 8.5.6 or later to remove the vulnerability (Patchstack).