WordPress Contact Forms by Cimatti < 1.4.12 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. PoC 1. go to Forms. 2. go to Add New Form 3. In th title put 4. Save...

WordPress Contact Forms by Cimatti plugin <= 1.4.11 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Felipe Restrepo Rodriguez, Sebastian Cruz Cardona in WordPress Contact Forms by Cimatti plugin versions = 1.4.11. Solution Update the WordPress Contact Forms by Cimatti plugin to the latest available version at least 1.4.12...

PortlandLabs Concrete CMS 路径遍历漏洞

PortlandLabs Concrete Cms is a team-oriented open source content management system from PortlandLabs, Inc. PortlandLabs Concrete CMS 8.5.5 and earlier has a security vulnerability that could be exploited by an attacker to cause path traversal in RCE via an external form by adding regular...

WordPress Contact Forms by Cimatti < 1.4.12 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. 1. go to Forms. 2. go to Add New Form 3. In th title put alert"Ehlo"; 4. Save...

CVE-2021-34647

The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulkexportsubmissions function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via t...

CVE-2021-34648

The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the triggeremailaction function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the...

CVE-2021-34648

The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the triggeremailaction function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the...

CVE-2021-34647

The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulkexportsubmissions function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via t...

Code injection

The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the triggeremailaction function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the...

Information disclosure

The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulkexportsubmissions function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via t...

CVE-2021-34647 Ninja Forms <= 3.5.7 Sensitive Information Disclosure

The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulkexportsubmissions function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via t...

CVE-2021-34647

The CVE-2021-34647 entry documents a vulnerability in the WordPress Ninja Forms plugin (versions up to and including 3.5.7) where an authenticated user can access the REST API endpoint /ninja-forms-submissions/export to export all submissions, potentially exposing PII. The root cause is a lack of...

CVE-2021-34648 Ninja Forms <= 3.5.7 Unprotected REST-API to Email Injection

The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the triggeremailaction function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the...

CVE-2021-34648 Ninja Forms <= 3.5.7 Unprotected REST-API to Email Injection

The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the triggeremailaction function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the...

CVE-2021-34648

The CVE-2021-34648 issue affects the WordPress Ninja Forms plugin (up to version 3.5.7). The vulnerability arises from an unprotected REST API endpoint, specifically /ninja-forms-submissions/email-action, where the trigger_email_action function in includes/Routes/Submissions.php can be invoked by...

Recently Patched Vulnerabilities in Ninja Forms Plugin Affect Over 1 Million Site Owners

On August 3, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities that were discovered in Ninja Forms, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an attacker to export sensitive information and...

WordPress Ninja Forms Contact Form plugin <= 3.5.7 - Unprotected REST-API to Email Injection vulnerability

Unprotected REST-API to Email Injection vulnerability discovered by Chloe Chamberland WordFence in WordPress Ninja Forms Contact Form plugin versions = 3.5.7. Solution Update the WordPress Ninja Forms Contact Form plugin to the latest available version at least 3.5.8...

WordPress Ninja Forms Contact Form plugin <= 3.5.7 - Unprotected REST-API to Sensitive Information Disclosure vulnerability

Unprotected REST-API to Sensitive Information Disclosure vulnerability discovered by Chloe Chamberland WordFence in WordPress Ninja Forms Contact Form plugin versions = 3.5.7. Solution Update the WordPress Ninja Forms Contact Form plugin to the latest available version at least 3.5.8...

Ninja Forms < 3.5.8 - Unprotected REST-API to Email Injection

The plugin is vulnerable to arbitrary email sending via the triggeremailaction function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the...

Ninja Forms < 3.5.8 - Unprotected REST-API to Email Injection

The plugin is vulnerable to arbitrary email sending via the triggeremailaction function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the...