Cyber Resilience

CVE-2022-3142

HighPublic PoC

Published: 19 September 2022

Published
19 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0804 92.3th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3142 is a high-severity SQL Injection (CWE-89) vulnerability in Basixonline Nex-Forms. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 7.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The NEX-Forms WordPress plugin before version 7.9.7 contains an SQL injection vulnerability (CWE-89) because it fails to properly sanitize and escape user input before incorporating it into SQL statements. The affected component is the forms statistics chart functionality within this plugin, which runs on WordPress sites and carries a CVSS 3.1 score of 8.8.

An attacker who is granted permission to view the forms statistics chart—by default limited to administrators but configurable through plugin settings—can supply crafted input to execute arbitrary SQL queries. Successful exploitation allows the attacker to achieve full confidentiality, integrity, and availability impacts on the underlying database.

Public references including WPScan, Packet Storm, and a detailed Medium analysis confirm the issue and point to updating the NEX-Forms plugin to version 7.9.7 or later as the primary mitigation; no additional configuration changes or workarounds are described in the available advisories.

The EPSS score for this CVE rose from a low baseline to a peak of 0.2287 on 2025-12-11 before receding to the current value of 0.0804, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart,…

more

by default administrators, however can be configured otherwise via the plugin settings.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

basixonline
nex-forms
≤ 7.9.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References