Lucene search
WPScanCVELIST:CVE-2021-24163HistoryApr 05, 2021 - 6:27 p.m.
CVE-2021-24163 Ninja Forms < 3.4.34 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure
2021-04-0518:27:43
CWE-200
WPScan
www.cve.org
2
cve-2021-24163
ninja forms
sendwp plugin installation
client secret key disclosure
ajax action
wordpress plugin
The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin.
CNA Affected
[
{
"product": "Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.4.34",
"status": "affected",
"version": "3.4.34",
"versionType": "custom"
}
]
}
]Related
cve
cve
CVE-2021-24163
2021-04-05 19:15:15
prion
prion
Design/Logic Flaw
2021-04-05 19:15:00
wpexploit
wpexploit
nvd
nvd
CVE-2021-24163
2021-04-05 19:15:15
wpvulndb
wpvulndb