Skip to content

Vulnerabilities in NEX Forms < 7.8.8

19. July 2021

To protect Pentest Factory’s own IT infrastructure against attacks, internal penetration tests are an essential part of our strategy. We hereby put an additional focus on systems that process sensitive client data. In a penetration test of our homepage prior to our initial go-live, we could identify two vulnerabilities that we forwarded to the vendor for a patch.

Both vulnerabilities were fixed in the subsequent release and can not be exploited in current software versions anymore. The details of each vulnerability will be described in this blog article.


Background

NEX Forms is a WordPress plugin with >12.000 sales. It allows creating forms based on a variety of templates and offers several functions for managing form submissions. The plugin offers a function for the generation of submission reports. These reports can then be exported into PDF and Excel formats. We were able to identify the following two vulnerabilities within this component:

CVE-2021-34675: NEX Forms Authentication Bypass for PDF Reports

The “Reporting” section of the NEX Forms backend allows users to aggregate form submissions and to export them into the PDF format. As soon as a selection is exported into PDF, the server saves the resulting file under the following location:

/wp-content/uploads/submission_report.pdf

34675 1

Figure 1: Reporting section with Excel and PDF export functions

During our tests, we noticed that the exported file is not access protected. An attacker is thus able to download the file without authentication:

34675 2

Figure 2: Proof-of-Concept: Unauthenticated access to the PDF report

CVE-2021-43676: NEX Forms Authentication Bypass for Excel Reports

Similar to the previously described finding, another vulnerability for the Excel file export exists. Here the file is not saved in the file system, but directly returned by the webserver.

To exploit the vulnerability, a report has to have been exported into the Excel format. The server then returns the latest Excel file, whenever the GET Parameter “export_csv” with a value of “true” is passed to the backend. However, this URL handler does not perform any authentication checks, which allows an attacker to access the file contents unauthenticated:

34676 2

Figure 3: Proof-of-Concept: Unauthenticated access to the Excel report


Possible Impact

An attacker that abuses either of the authentication bypass vulnerabilities could cause the following damage:

  • Access to sensitive data that was submitted via the contact form
  • Access to personally identifiable information, such as names, e-mail addresses or phone numbers

This could lead to a considerable loss of confidentiality for the data processed by NEX Forms.


Vulnerability Fix

Both vulnerabilities were fixed in the subsequent release of the vendor. More information can be found under: https://codecanyon.net/item/nexforms-the-ultimate-wordpress-form-builder/7103891.

We thank the Envato Security Team for patch coordination with the developers and the fast remediation of the identified vulnerabilities.