CVE-2026-7046 — SQL Injection

title: NEX-Forms SQL Injection via 'table' parameter — CVE-2026-7046
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
  Detects time-based blind SQL Injection attempts targeting the NEX-Forms plugin by looking for specific parameters ('table=nex_forms_settings', '_wpnonce', 'action=save_options', 'id') in the URI query, combined with SQL keywords and a sleep function indicative of a blind SQL injection payload. This targets CVE-2026-7046.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7046/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
          - "table=nex_forms_settings"
      cs-uri-query|contains:
          - "&_wpnonce="
      cs-uri-query|contains:
          - "&action=save_options"
      cs-uri-query|contains:
          - "&id="
      cs-uri-query|contains:
          - "AND (SELECT "
      cs-uri-query|contains:
          - "FROM"
      cs-uri-query|contains:
          - "WHERE"
      cs-uri-query|contains:
          - "SLEEP("
  selection_base:
      cs-uri-query|contains:
          - "table=nex_forms_settings"
      cs-uri-query|contains:
          - "&_wpnonce="
      cs-uri-query|contains:
          - "&action=save_options"
      cs-uri-query|contains:
          - "&id="
  selection_indicators:
      cs-uri-query|contains:
          - "AND (SELECT "
      cs-uri-query|contains:
          - "FROM"
      cs-uri-query|contains:
          - "WHERE"
      cs-uri-query|contains:
          - "SLEEP("
  condition: selection_base AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse