Ninja Security Vulnerabilities
In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to establish a connection. They could also retrieve the client_id for an already established OAuth...
4.3CVSS
4.6AI Score
0.001EPSS
In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in...
6.1CVSS
6.1AI Score
0.001EPSS
6.5CVSS
6.5AI Score
0.001EPSS
The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table...
5.3CVSS
5.3AI Score
0.001EPSS
The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email...
5.3CVSS
5.6AI Score
0.001EPSS
6.1CVSS
6.3AI Score
0.001EPSS
The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or...
5.4CVSS
5.4AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode...
6.1CVSS
6.1AI Score
0.001EPSS
The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the...
6.1CVSS
6.3AI Score
0.001EPSS
7.5CVSS
7.6AI Score
0.001EPSS
The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data...
9.1CVSS
9.2AI Score
0.002EPSS
Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) name and....
8.1CVSS
8.1AI Score
0.107EPSS
An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions download page) redirect...
6.1CVSS
6.3AI Score
0.003EPSS
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id...
6.1CVSS
6.1AI Score
0.291EPSS
8.6CVSS
8.8AI Score
0.003EPSS
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST...
9.8CVSS
9.5AI Score
0.929EPSS
Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms plugin before 2.8.9 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the ninja_forms_field_1 parameter in a ninja_forms_ajax_submit action to wp-admin/admin-ajax.php or (2) remote...
5.9AI Score
0.002EPSS
The Awful Ninja Game (aka com.absolutelyawfulapplications.awfulninjagame) application 1.0.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted...
6AI Score
0.0005EPSS
The Ninja Chicken Adventure Island (aka mominis.Generic_Android.Ninja_Chicken_Adventure_Island) application 1.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted...
6AI Score
0.0005EPSS
The Ninja Chicken (aka mominis.Generic_Android.Ninja_Chicken) application 1.7.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted...
6AI Score
0.0005EPSS
The Ninja Chicken Ooga Booga (aka mominis.Generic_Android.Ninja_Chicken_Ooga_Booga) application 1.4.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted...
6AI Score
0.0005EPSS
Directory traversal vulnerability in entries/index.php in Ninja Blog 4.8, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the cat...
6.8AI Score
0.021EPSS