nex-forms_SQL-Injection CVE-2023-2114
Quick Review about the SQL-Injection in the NEX-Forms Plugin for WordPress
Uploaded exploit
Note that this uploaded exploit code isnt for this particular vulnerability... But this is an example how you could make an exploit for this issue.
Vulnerable Versions
From Version 8.3 (Maybe earlier too) till version 8.4
The SQL-Injection itself
The SQL-Injection is placed in the authenticated area from NEX-Forms. When you edit a form and want to safe it, your client sends a post-request to the server with some parameters.
One of those parameters is called 'table' which is vulnerable. There was no sanitizing or filtering.