CVE-2021-24163

The CVE-2021-24163 issue affects the WordPress plugin Ninja Forms (The Drag and Drop Form Builder) prior to version 3.4.34. The vulnerability is in the AJAX action wp_ajax_ninja_forms_sendwp_remote_install_handler, which lacks capability checks and nonce protection, enabling low-privilege users (...

CVE-2021-24166

Affected software: WordPress plugin Ninja Forms – Drag and Drop Form Builder. Vulnerability: CSRF to OAuth service disconnection in wp_ajax_nf_oauth_disconnect due to no nonce protection in versions before 3.4.34. Impact: unauthorized user can craft requests to disconnect a site’s OAuth connectio...

CVE-2021-24165

CVE-2021-24165 affects WordPress Ninja Forms plugin prior to 3.4.34. The open redirect stems from the wp_ajax_nf_oauth_connect action, using a user-supplied redirect parameter without protection. This allows redirecting users to a malicious site, with potential exposure of data or unauthorized ac...

CVE-2021-24164

CVE-2021-24164 affects the Ninja Forms Contact Form WordPress plugin up to version 3.4.34.1. The vulnerability allows low-privilege authenticated users (e.g., subscribers) to trigger the wp_ajax_nf_oauth action and disclose sensitive OAuth data, including the connection URL needed to establish a ...

WordPress Ninja Forms Contact Form 输入验证错误漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports personal blog sites on PHP and MySQL servers. An input validation error vulnerability exists in the Ninja Forms Contact Form WordPress plugin before 3.4.34, which...

WordPress Ninja Forms Contact Form 信息泄露漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. An information disclosure vulnerability exists in the Ninja Forms Contact Form WordPress plugin befo...

PT-2021-15709 · WordPress · Sendwp Ninja Forms Contact Form

Name of the Vulnerable Software and Affected Versions: SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress versions prior to 3.4.34 Description: The issue arises from the lack of capability checks and nonce protection in the AJAX action wp ajax ninja forms sendwp remote...

PT-2021-15710 · WordPress · Ninja Forms Contact Form

Name of the Vulnerable Software and Affected Versions: Ninja Forms Contact Form WordPress plugin versions prior to 3.4.34.1 Description: The issue allows low-level users, such as subscribers, to trigger the wp ajax nf oauth action and retrieve the connection URL needed to establish a connection...

Ivory Search < 4.6.1 - Reflected Cross Site Scripting (XSS)

The Search Forms page of the plugin did not properly sanitise the tab parameter before output it in the page, leading to a reflected Cross-Site Scripting issue when opening a malicious crafted link as a high privilege user. Knowledge of a form id is required to conduct the attack. PoC...

Easy Form Builder <= 1.0 - Unauthorised AJAX calls

While confirming https://wpscan.com/vulnerability/ed0c054b-54bf-4df8-9015-c76704c93484, we noticed that all AJAX actions of the plugin, available to authenticated users, do not have any CSRF and authorisation checks in place, allowing low privilege users to call them and delete/edit arbitrary for...

HackerOne: Temporary banned user (from platform) is able to make submissions via embedded submission forms

Summary: Hello team! We have discovered issue which allows temporary banned user to submit new reports using embedded submission forms. The hacker can submit submissions via embedded forms using his/her email address. Once the ban is over the hacker can claim his/her report via invitation link...

Wordpress Constant Contact Forms Cross-Site Scripting Vulnerability

Wordpress Constant Contact Forms is Wordpress open source an application plugin. It allows websites to capture visitor information directly and easily. A cross-site scripting vulnerability exists in versions of the Constant Contact Forms WordPress plugin prior to 1.8.8. The vulnerability stems fr...

ALPINE-CVE-2021-28957

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

PYSEC-2021-19

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

UBUNTU-CVE-2021-28957

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

CVE-2021-28957

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

CVE-2021-24134

Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user Editor+ to inject arbitrary JavaScript code or HTML in posts where the malicious fo...

CVE-2021-24134

Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user Editor+ to inject arbitrary JavaScript code or HTML in posts where the malicious fo...

Cross site scripting

Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user Editor+ to inject arbitrary JavaScript code or HTML in posts where the malicious fo...

CVE-2021-24134

The CVE affects the WordPress plugin Constant Contact Forms