WordPress Ninja Forms Plugin <= 2.8.8 - Multiple XSS

2015-03-0500:00:00

Sergio Navarro of Dionach

patchstack.com

0.002 Low

EPSS

Percentile

59.7%

JSON

Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML via the “ninja_forms_field_1” parameter in a ninja_forms_ajax_submit action to wp-admin/admin-ajax.php. Also, multiple cross site scripting vulnerabilities allow the administrators to inject arbitrary web script or HTML via the “fields[1]” parameter to wp-admin/post.php.

Solution

           Update the plugin.

CPENameOperatorVersion
ninja formsle2.8.8

CPE	Name	Operator	Version
	ninja forms	le	2.8.8

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2220

0.002 Low

EPSS

Percentile

59.7%

JSON

Related for PATCHSTACK:D4C7BDDE0B0BDE74AA5A5F56D6158A83