CVE-2024-1130 in NEX-Forms Plugininfo

Summary

by MITRE • 02/29/2024

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the set_read() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark records as read.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/12/2026

The vulnerability identified as CVE-2024-1130 affects the NEX-Forms WordPress plugin, specifically targeting versions up to and including 8.5.6. This plugin serves as an ultimate form builder that enables users to create various contact forms and other data collection mechanisms. The security flaw resides within the set_read() function which lacks proper capability verification, creating a critical authorization bypass opportunity. The vulnerability impacts the plugin's ability to maintain proper access controls for form submission records, potentially allowing unauthorized modification of form data status.

The technical implementation flaw stems from the absence of capability checks within the set_read() function, which should verify that the requesting user possesses appropriate permissions before allowing them to mark form records as read. This missing validation creates a path for authenticated attackers who have subscriber-level privileges or higher to manipulate the read status of form submissions. The vulnerability operates at the application logic level, where access control decisions are made without proper authorization verification, violating fundamental security principles of least privilege and proper access control enforcement.

From an operational standpoint, this vulnerability enables attackers to manipulate form submission records by marking them as read, which could have significant implications for form management and data tracking. The impact extends beyond simple record status modification, as it could potentially interfere with automated workflows, reporting mechanisms, or audit trails that depend on accurate read/unread status tracking. Attackers with subscriber-level access can exploit this weakness to hide form submissions from administrators, potentially masking malicious activity or interfering with legitimate business processes. This vulnerability aligns with CWE-284, which addresses improper access control, and represents a clear violation of the principle that operations should require appropriate authorization levels.

The security implications of this vulnerability are particularly concerning given that it requires only subscriber-level authentication to exploit, making it accessible to users who normally have limited privileges within the WordPress environment. Attackers could leverage this weakness to disrupt form processing workflows, manipulate data visibility, or potentially hide malicious submissions from administrators who rely on proper read status tracking for security monitoring. This vulnerability could be particularly dangerous in environments where form submissions contain sensitive information or where automated response systems depend on accurate read status indicators. The impact on security operations includes potential data integrity issues and the ability to circumvent audit controls that rely on proper read/unread status tracking. Mitigation strategies should include immediate plugin updates to versions that address the capability check issue, along with monitoring for unauthorized access attempts and reviewing form submission access logs for suspicious activity. The vulnerability demonstrates the critical importance of implementing proper access controls even for seemingly minor administrative functions within web applications, as these can provide attackers with pathways to more significant security breaches. Organizations should also consider implementing additional monitoring and alerting for unauthorized changes to form submission status, as this represents a potential indicator of compromise within their WordPress environments.

Reservation

01/31/2024

Disclosure

02/29/2024

Moderation

accepted

CPE

ready

EPSS

0.00598

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!