CVE-2024-13498: 
WordPress vulnerability analysis and mitigation

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 8.8.1. The vulnerability was disclosed on March 12, 2025 and assigned CVE-2024-13498. The issue affects the file upload functionality of the plugin (NVD).

The vulnerability stems from insufficient directory listing prevention and lack of randomization of file names in the file upload functionality. This security weakness is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and no privileges or user interaction required (Wordfence).

The vulnerability allows unauthenticated attackers to extract sensitive data, specifically files that have been uploaded through forms on the affected WordPress sites. This could lead to unauthorized access to potentially confidential information submitted by users (NVD).

The vulnerability has been fixed in version 8.8.2 of the NEX-Forms plugin. Users are advised to update to this version or later to protect against potential exploitation (WordPress Plugin).