8173 matches found
Cross site scripting
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Saturday Drive's Ninja Forms Contact Form plugin = 3.6.9 at WordPress via "label"...
CVE-2021-36827
CVE-2021-36827 affects the WordPress Ninja Forms Contact Form plugin (versions ≤ 3.6.9). The vulnerability is an authenticated stored XSS via the label field, exploitable by an admin+ user. Impact is documented as a stored XSS; exploitation status is not described in these sources. The recommende...
USN-5482-1: SPIP vulnerabilities
It was discovered that SPIP incorrectly validated inputs. An authenticated attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 18.04 LTS. CVE-2020-28984 Charles Fol and Théo Gordyjan discovered that SPIP is vulnerable to Cross Site Scripting XSS. If a...
PSA: Critical Vulnerability Patched in Ninja Forms WordPress Plugin
On June 16, 2022, the Wordfence Threat Intelligence team noticed a back-ported security update in Ninja Forms, a WordPress plugin with over one million active installations. As with all security updates in WordPress plugins and themes, our team analyzed the plugin to determine the exploitability...
PT-2022-10566 · WordPress · Ninja Forms Contact Form
Name of the Vulnerable Software and Affected Versions: Ninja Forms Contact Form plugin versions prior to 3.6.9 Description: The issue is related to a Stored Cross-Site Scripting XSS vulnerability that requires authentication with admin+ privileges. It affects the Ninja Forms Contact Form plugin a...
WordPress plugin Ninja Forms Contact Form 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. WordPress plugin Ninja Forms Contact Form 3.6.9 and earlier versions have a cross-site scripting...
WordPress Ninja Forms plugin <= 3.6.10 - Unauthenticated PHP Object Injection vulnerability
Unauthenticated PHP Object Injection vulnerability discovered in WordPress Ninja Forms plugin versions = 3.6.10. Solution Update the WordPress Ninja Forms plugin to the latest available version at least 3.6.11...
Ninja Forms < 3.6.11 - Unauthenticated PHP Object Injection
The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have bee...
Ninja Forms < 3.6.11 - Unauthenticated PHP Object Injection
The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have bee...
CVE-2022-31041
Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users e.g. only PDF / Excel / .... The input validation of uploaded fil...
CVE-2022-31041 Insufficient content-type validation for uploaded files in open-forms
Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users e.g. only PDF / Excel / .... The input validation of uploaded fil...
CVE-2022-31041 Insufficient content-type validation for uploaded files in open-forms
Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users e.g. only PDF / Excel / .... The input validation of uploaded fil...
CVE-2022-31041
Open Forms prior to versions 1.0.9 and 1.1.1 are affected by insufficient input validation for uploaded files, allowing end users to bypass extension-based checks by stripping or altering file extensions. This can lead to uploaded files being misrepresented as another type and potentially downloa...
CVE-2022-31041 Insufficient content-type validation for uploaded files in open-forms
Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users e.g. only PDF / Excel / .... The input validation of uploaded fil...
CVE-2022-31040
Open Forms is an application for creating and publishing smart forms. Prior to versions 1.0.9 and 1.1.1, the cookie consent page in Open Forms contains an open redirect by injecting a referer querystring parameter and failing to validate the value. A malicious actor is able to redirect users to a...
Open redirect
Open Forms is an application for creating and publishing smart forms. Prior to versions 1.0.9 and 1.1.1, the cookie consent page in Open Forms contains an open redirect by injecting a referer querystring parameter and failing to validate the value. A malicious actor is able to redirect users to a...
CVE-2022-31040
CVE-2022-31040 affects Open Forms before versions 1.0.9 and 1.1.1, where the cookie consent page contains an open redirect via an injectable referer query parameter. The issue enables phishing redirects initiated by the Open Forms backend on a legitimate page. Connected sources confirm patches in...
CVE-2022-31040 Open Redirect in open-forms
Open Forms is an application for creating and publishing smart forms. Prior to versions 1.0.9 and 1.1.1, the cookie consent page in Open Forms contains an open redirect by injecting a referer querystring parameter and failing to validate the value. A malicious actor is able to redirect users to a...
CVE-2022-31040 Open Redirect in open-forms
Open Forms is an application for creating and publishing smart forms. Prior to versions 1.0.9 and 1.1.1, the cookie consent page in Open Forms contains an open redirect by injecting a referer querystring parameter and failing to validate the value. A malicious actor is able to redirect users to a...
Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC As admin, put the following payload in a field label: The XSS will be triggered when editing the form, as well as ...