To protect our infrastructure against attacks, internal penetration tests are an inherent part of our strategy. We hereby put an additional focus on systems that process sensitive client data. During a penetration test of our homepage before the initial go-live, we were able to identify two vulnerabilities in the popular WordPress-Plugin NEX Forms.
Both vulnerabilities were fixed in the subsequent release and can not be exploited in current software versions anymore. More details can be found in this article.
NEX Forms is a popular WordPress plugin for the creation of forms and the management of submitted form data. It has been sold more than 12.500 times and can be found on several WordPress webpages. The plugin offers a functionality to create form reports. These reports can then be exported into PDF or Excel formats. In this component we were able to identify two vulnerabilities.
CVE-2021-34675: NEX Forms Authentication Bypass for PDF Reports
The “Reporting” section of the NEX Forms backend allows users to aggregate form submissions and export them into PDF files. As soon as a selection is exported into PDF, the server stores the resulting file under the following path:
Figure 1: Reporting section with Excel and PDF export functions
During our testing, we were able to identify that this exported file is not access protected. An attacker is thus able to download the file without authentication:
Figure 2: Proof-of-Concept: Unauthenticated access to the PDF report
CVE-2021-43676: NEX Forms Authentication Bypass for Excel Reports
Similar to the previously mentioned finding, another vulnerability for Excel exports exists. Here, the Excel file is not directly stored on the file system of the webserver, but directly returned as a server response.
To abuse this vulnerability a form report has to have been exported into the Excel format. The server then returns the latest Excel file, whenever the GET Parameter “export_csv” with a value of “true” is passed to the backend. This URL handler does not verify any authentication parameters, which allows an attacker to access the contents without prior authentication:
Figure 3: Proof-of-Concept: Unauthenticated access to the Excel report
An attacker that abuses these authentication vulnerabilities may cause the following damage:
- Access to confidential files that have been submitted via any NEX Forms form.
- Access to PII, such as name, e-mail, IP address or phone number
This could lead to a significant loss of the confidentiality of the data processed by the NEX Forms plugin.
Both vulnerabilities were fixed in the subsequent release of the vendor. More information can be found under: https://codecanyon.net/item/nexforms-the-ultimate-wordpress-form-builder/7103891.
We thank the Envato Security Team for patch coordination with the developers and the fast remediation of the identified vulnerabilities.