Skip to content

Latest commit

 

History

History

CVE-2021-34676

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 

NEX Forms Authentication Bypass for Excel Reports

The Wordpress NEX Forms plugin allows users to export form submissions into an Excel file. However, the plugin fails to implement proper access protections. This allows an unauthenticated attacker to access the Excel report and obtain sensitive or personally identifiable information that was submitted via the form.

The vulnerability was reported as CVE-2021-34676.

Versions affected: NEX Forms <= 7.8.7

Background

NEX Forms is a Wordpress plugin with more than 12.000 sales. It allows creating forms based on a variety of templates and offers several functions for managing form submissions. During a security evaluation of the plugin in a test environment, we were able to identify access control vulnerabilities in the report export section.

Steps to Reproduce

The "Reporting" section of the NEX Forms admin backend allows users to aggregate and export form submissions into Excel and PDF formats. To request an Excel export, the user needs to request the export via the backend "Export To Excel" button. Once the excel sheet was generated it can be accessed by supplying the global GET parameter "export_csv" set to "true" for any backend endpoint.

Figure 1: Reporting section with Excel and PDF export functions

Figure 1: Reporting section with Excel and PDF export functions

Validating the access controls for the "export_csv" handler, we noticed that the plugin does not check for valid authentication and it is possible to request the data unauthenticated:

Figure 2: Proof-of-Concept: Unauthenticated access to the Excel report

Figure 2: Proof-of-Concept: Unauthenticated access to the Excel report

Root Cause

This issue exists due to missing access control checks in the "export_csv" plugin handler. To mitigate the issue, we recommend implementing access checks that verify the presence of a valid authentication cookie, before data is returned via the URL handler.

Fix

The vendor was informed of the finding on June 2, 2021. The product changelog reports the vulnerability to be fixed with version 7.8.8. More information can be found here: https://codecanyon.net/item/nexforms-the-ultimate-wordpress-form-builder/7103891