CVE-2020-36670

Name of the Vulnerable Software and Affected Versions NEX-Forms plugin for WordPress versions up to, and including 7.7.1

Description The issue allows unauthorized disclosure and modification of data due to missing capability checks on several AJAX actions. This enables authenticated attackers with subscriber level permissions and above to invoke these functions, which can be used to perform actions like modifying form submission records, deleting files, sending test emails, and modifying plugin settings.

Recommendations For versions up to, and including 7.7.1, update to a version higher than 7.7.1 to resolve the issue. As a temporary workaround, consider restricting access to the AJAX actions until a patch is available. Additionally, restrict permissions to the minimum required for users to perform their tasks, reducing the risk of exploitation by authenticated attackers.