Ninja Forms < 3.5.8 - Unprotected REST-API to Sensitive Information Disclosure

The plugin is vulnerable to sensitive information disclosure via the bulkexportsubmissions function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the...

VulnCheck KEV: CVE-2021-34647

The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulkexportsubmissions function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data...

WordPress 插件 安全漏洞

WordPress Plugin is an open source application plugin for WordPress. A security vulnerability exists in the WordPress plugin Ninja Forms 3.5.7 and earlier versions, where an authenticated attacker can export all Ninja Forms submissions, which may contain personally identifiable information, via t...

PT-2021-20615 · WordPress · Ninja Forms

Name of the Vulnerable Software and Affected Versions: Ninja Forms WordPress plugin versions up to and including 3.5.7 Description: The issue allows authenticated attackers to export all Ninja Forms submissions data via the "/ninja-forms-submissions/export" REST API, which can include personally...

PT-2021-20616 · WordPress · Ninja Forms

Name of the Vulnerable Software and Affected Versions: Ninja Forms WordPress plugin versions up to and including 3.5.7 Description: The issue allows authenticated attackers to send arbitrary emails from the affected server via the "/ninja-forms-submissions/email-action" REST API endpoint, utilizi...

Ninja Forms < 3.5.8 - Unprotected REST-API to Sensitive Information Disclosure

The plugin is vulnerable to sensitive information disclosure via the bulkexportsubmissions function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the...

WordPress 插件 安全漏洞

WordPress Plugin is an open source application plugin for WordPress. A security vulnerability exists in the WordPress plugin Ninja Forms 3.5.7 and earlier versions, where an authenticated attacker could export all Ninja Forms submissions, which may contain personally identifiable information, via...

VulnCheck KEV: CVE-2021-34648

The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the triggeremailaction function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the...

GamePress <= 1.1.0 - Reflected Cross-Site Scripting

The plugin does not escape the opedit POST parameter before outputting it back in multiple Game Option pages, leading to Reflected Cross-Site Scripting issues Affected pages: op=engines, op=perspectives, op=modes, op=genres, op=themes, op=platforms alert'xss'" document.test.submit;...

WordPress PlanSo Forms plugin <= 2.6.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Felipe Restrepo Rodriguez in WordPress PlanSo Forms plugin versions = 2.6.3. Solution Deactivate and delete. This plugin has been closed as of August 2, 2021 and is not available for download. Reason: Security Issue...

PlanSo Forms <= 2.6.3 - Authenticated Stored Cross-Site Scripting

The plugin does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfilteredhtml is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue. Timeline July 12th, 2021 - Vendor...

PlanSo Forms <= 2.6.3 - Authenticated Stored Cross-Site Scripting

The plugin does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfilteredhtml is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue. Timeline July 12th, 2021 - Vendor...

CVE-2021-37531

SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be...

Design/Logic Flaw

SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be...

CVE-2021-37531

SAP NetWeaver Knowledge Management XML Forms (versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50) is affected by an XSLT processing vulnerability that allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet containing OS-level commands, place it where the system can access...

CVE-2021-37531

SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be...

Avada < 7.4.2 - Stored Cross-Site Scripting

Description The Avada Forms component allowed unescaped HTML form entries to be loaded on the backend...

CVE-2021-38335

The Wise Agent Capture Forms WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /WiseAgentCaptureForm.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0...

CVE-2021-38335

The Wise Agent Capture Forms WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /WiseAgentCaptureForm.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0...

Cross site scripting

The Wise Agent Capture Forms WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /WiseAgentCaptureForm.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0...