JVN#50361500: Multiple vulnerabilities in WordPress Plugin "Ninja Forms"

WordPress Plugin “Ninja Forms” provided by Saturday Drive contains multiple vulnerabilities listed below.

Cross-site request forgery (CWE-352) CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3 CVE-2024-25572Stored cross-site scripting in submit processing (CWE-79)CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4 CVE-2024-26019Stored cross-site scripting in custom fields for labels (CWE-79) CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4 CVE-2024-29220

Impact

• If a website administrator views a malicious page while logging in, unintended operations may be performed (CVE-2024-25572)
• An arbitrary script may be executed on the web browser of the user who is accessing to the website using the product (CVE-2024-26019, CVE-2024-29220)

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Products Affected

CVE-2024-25572

• Ninja Forms versions prior to 3.4.31
  CVE-2024-26019, CVE-2024-29220

• Ninja Forms versions prior to 3.8.1