CVE-2022-3142
Published: 19 September 2022
Summary
CVE-2022-3142 is a high-severity SQL Injection (CWE-89) vulnerability in Basixonline Nex-Forms. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 7.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The NEX-Forms WordPress plugin before version 7.9.7 contains an SQL injection vulnerability (CWE-89) because it fails to properly sanitize and escape user input before incorporating it into SQL statements. The affected component is the forms statistics chart functionality within this plugin, which runs on WordPress sites and carries a CVSS 3.1 score of 8.8.
An attacker who is granted permission to view the forms statistics chart—by default limited to administrators but configurable through plugin settings—can supply crafted input to execute arbitrary SQL queries. Successful exploitation allows the attacker to achieve full confidentiality, integrity, and availability impacts on the underlying database.
Public references including WPScan, Packet Storm, and a detailed Medium analysis confirm the issue and point to updating the NEX-Forms plugin to version 7.9.7 or later as the primary mitigation; no additional configuration changes or workarounds are described in the available advisories.
The EPSS score for this CVE rose from a low baseline to a peak of 0.2287 on 2025-12-11 before receding to the current value of 0.0804, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-42569
Vulnerability details
The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart,…
more
by default administrators, however can be configured otherwise via the plugin settings.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.