8220 matches found
Ninja Forms WordPress Plugin Opens Websites to Hacks
Click to Register Ninja Forms, a WordPress plugin used by more than 1 million sites, contains four critical security vulnerabilities that together make it possible for a remote attacker to take over a WordPress site and create various kinds of problems. Ninja Forms offers WordPress site designers...
Ninja Forms < 3.4.34.1 - Authenticated OAuth Connection Key Disclosure
Low-level users, such as subscribers, were able to trigger the action, wpajaxnfoauth, and retrieve the connection url needed to establish a connection. They could also retrieve the clientid for an already established OAuth connection. PoC Usage: php poc.php subscriber password $wpuser, 'pwd' =...
Ninja Forms < 3.4.34 - CSRF to OAuth Service Disconnection
The wpajaxnfoauthdisconnect from the plugin had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection...
Ninja Forms < 3.4.34 - CSRF to OAuth Service Disconnection
The wpajaxnfoauthdisconnect from the plugin had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection. PoC...
WordPress Ninja Forms Contact Form plugin <= 3.4.33 - Authenticated OAuth Connection Key Disclosure vulnerability
Authenticated OAuth Connection Key Disclosure vulnerability found by Chloe Chamberland in WordPress Ninja Forms Contact Form plugin versions = 3.4.33. Solution Update the WordPress Ninja Forms Contact Form plugin to the latest available version at least 3.4.34...
Ninja Forms < 3.4.34 - Administrator Open Redirect
The wpajaxnfoauthconnect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place. http://mysite.com/wp-admin/admin-ajax.php?clientid=1&redirect=https://google.com&action=nfoauthconnect...
Ninja Forms < 3.4.34 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure
The AJAX action, wpajaxninjaformssendwpremoteinstallhandler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP plugin and retrieve the clientsecret key needed to...
WordPress Ninja Forms Contact Form plugin <= 3.4.33 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability found by Chloe Chamberland in WordPress Ninja Forms Contact Form plugin versions = 3.4.33. Solution Update the WordPress Ninja Forms Contact Form plugin to the latest available version at least 3.4.34...
WordPress Ninja Forms Contact Form plugin <= 3.4.33 - Administrator Open Redirect vulnerability
Administrator Open Redirect vulnerability found by Chloe Chamberland in WordPress Ninja Forms Contact Form plugin versions = 3.4.33. Solution Update the WordPress Ninja Forms Contact Form plugin to the latest available version at least 3.4.34...
Ninja Forms < 3.4.34 - Administrator Open Redirect
The wpajaxnfoauthconnect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place. PoC http://mysite.com/wp-admin/admin-ajax.php?clientid=1=https://google.com=nfoauthconnect...
Ninja Forms < 3.4.34.1 - Authenticated OAuth Connection Key Disclosure
Low-level users, such as subscribers, were able to trigger the action, wpajaxnfoauth, and retrieve the connection url needed to establish a connection. They could also retrieve the clientid for an already established OAuth connection. Usage: php poc.php subscriber password $wpuser, 'pwd' = $wppas...
Ninja Forms < 3.4.34 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure
The AJAX action, wpajaxninjaformssendwpremoteinstallhandler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP plugin and retrieve the clientsecret key needed to...
WordPress Ninja Forms Contact Form plugin <= 3.4.33 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure vulnerability
Authenticated SendWP Plugin Installation and Client Secret Key Disclosure vulnerability found by Chloe Chamberland in WordPress Ninja Forms Contact Form plugin versions = 3.4.33. Solution Update the WordPress Ninja Forms Contact Form plugin to the latest available version at least 3.4.34...
[SECURITY] Fedora 33 Update: rubygem-mechanize-2.7.7-1.fc33
The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, can follow links, and submit forms. Form fields can be populated and submitted. Mechanize also keeps track of the sites that you have visited as a history...
VulnCheck KEV: CVE-2012-1710
Unspecified vulnerability in the Oracle WebCenter Forms Recognition component in Oracle Fusion Middleware allows remote attackers to affect confidentiality, integrity, and availability via Unknown vectors related to Designer...
CVE-2020-35125
A cross-site scripting XSS vulnerability in the forms component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript via mauticreturn a different attack method than CVE-2020-35124, but also related to the Referer concept...
CVE-2020-35125
A cross-site scripting XSS vulnerability in the forms component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript via mauticreturn a different attack method than CVE-2020-35124, but also related to the Referer concept...
Cross site scripting
A cross-site scripting XSS vulnerability in the forms component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript via mauticreturn a different attack method than CVE-2020-35124, but also related to the Referer concept...
CVE-2020-35125
A cross-site scripting XSS vulnerability in the forms component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript via mauticreturn a different attack method than CVE-2020-35124, but also related to the Referer concept...
PT-2021-11711 · Mautic · Mautic
Name of the Vulnerable Software and Affected Versions: Mautic versions prior to 2.16.5 Mautic versions prior to 3.2.4 Description: A cross-site scripting XSS issue in the forms component allows remote attackers to inject executable JavaScript via mauticreturn. This could allow an attacker...