Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVEs/CVE-2021-34676/
CVEs/CVE-2021-34676/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

NEX Forms Authentication Bypass for Excel Reports

The Wordpress NEX Forms plugin allows users to export form submissions into an Excel file. However, the plugin fails to implement proper access protections. This allows an unauthenticated attacker to access the Excel report and obtain sensitive or personally identifiable information that was submitted via the form.

The vulnerability was reported as CVE-2021-34676.

Versions affected: NEX Forms <= 7.8.7

Background

NEX Forms is a Wordpress plugin with more than 12.000 sales. It allows creating forms based on a variety of templates and offers several functions for managing form submissions. During a security evaluation of the plugin in a test environment, we were able to identify access control vulnerabilities in the report export section.

Steps to Reproduce

The "Reporting" section of the NEX Forms admin backend allows users to aggregate and export form submissions into Excel and PDF formats. To request an Excel export, the user needs to request the export via the backend "Export To Excel" button. Once the excel sheet was generated it can be accessed by supplying the global GET parameter "export_csv" set to "true" for any backend endpoint.

Figure 1: Reporting section with Excel and PDF export functions

Figure 1: Reporting section with Excel and PDF export functions

Validating the access controls for the "export_csv" handler, we noticed that the plugin does not check for valid authentication and it is possible to request the data unauthenticated:

Figure 2: Proof-of-Concept: Unauthenticated access to the Excel report

Figure 2: Proof-of-Concept: Unauthenticated access to the Excel report

Root Cause

This issue exists due to missing access control checks in the "export_csv" plugin handler. To mitigate the issue, we recommend implementing access checks that verify the presence of a valid authentication cookie, before data is returned via the URL handler.

Fix

The vendor was informed of the finding on June 2, 2021. The product changelog reports the vulnerability to be fixed with version 7.8.8. More information can be found here: https://codecanyon.net/item/nexforms-the-ultimate-wordpress-form-builder/7103891