Lucene search
K
NinjaformsNinja Forms

57 matches found

CVE
CVE
added 2020/02/14 7:1 p.m.166 views

CVE-2020-8594

The CVE-2020-8594 entry describes a stored XSS vulnerability in the WordPress Ninja Forms plugin, affecting version 3.4.22 (and earlier). The issue is triggered via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format], with r...

5.4CVSS5.4AI score0.01195EPSS
CVE
CVE
added 2023/07/27 2:8 p.m.148 views

CVE-2023-37979

The CVE-2023-37979 entry maps to the Ninja Forms WordPress plugin with reflected XSS in versions

7.1CVSS6AI score0.0601EPSS
CVE
CVE
added 2023/05/15 12:15 p.m.108 views

CVE-2023-1835

The CVE-2023-1835 entry concerns the Ninja Forms Contact Form WordPress plugin prior to 3.6.22. The connected documents provide concrete details: the vulnerability is a Reflected Cross-Site Scripting caused by insufficient input sanitization and output escaping, exposed via the page parameter and...

6.1CVSS6.1AI score0.00925EPSS
CVE
CVE
added 2024/06/19 1:6 p.m.102 views

CVE-2023-38386

CVE-2023-38386 affects the WordPress Ninja Forms plugin, specifically versions up to 3.6.25, due to a Missing Authorization/Broken Access Control issue in the form submissions export feature. Root cause involves insufficient access restrictions allowing certain users to export submissions. The CV...

9.8CVSS7.5AI score0.00431EPSS
CVE
CVE
added 2024/09/25 6:49 a.m.97 views

CVE-2024-3866

CVE-2024-3866 refers to the Ninja Forms Contact Form plugin for WordPress, vulnerable up to version 3.8.15. The issue is a Reflected Self-Based Cross-Site Scripting via the Referer header caused by insufficient input sanitization and output escaping. It can allow unauthenticated attackers to inje...

6.1CVSS5.5AI score0.00274EPSS
CVE
CVE
added 2024/06/19 2:15 p.m.94 views

CVE-2023-38393

CVE-2023-38393 is a vulnerability in WordPress Ninja Forms plugin versions ≤ 3.6.25, described as Missing Authorization / Broken Access Control. The issue permits a user with Subscriber/Contributor roles to perform an unauthorized action (export of all Ninja Forms submissions) due to a broken acc...

8.8CVSS7.8AI score0.00427EPSS
CVE
CVE
added 2024/12/29 5:22 a.m.94 views

CVE-2024-12238

CVE-2024-12238 affects the WordPress plugin Ninja Forms – The Contact Form Builder That Grows With You. The vulnerability allows arbitrary shortcode execution in all versions up to and including 3.8.22 due to insufficient validation when do_shortcode is executed. This enables authenticated attack...

6.3CVSS6.5AI score0.00478EPSS
CVE
CVE
added 2024/12/12 5:24 a.m.90 views

CVE-2024-11052

CVE-2024-11052 affects Ninja Forms – The Contact Form Builder That Grows With You (WordPress). In all versions up to 3.8.19, the plugin is vulnerable to Stored Cross‑Site Scripting via the calculations parameter due to insufficient input sanitization and output escaping, enabling unauthenticated ...

7.2CVSS6.2AI score0.00306EPSS
CVE
CVE
added 2024/11/19 4:32 p.m.89 views

CVE-2024-50514

CVE-2024-50514 affects WordPress Ninja Forms plugin versions up to and including 3.8.16, with an improper neutralization of input during page generation leading to a stored XSS vulnerability. The issue is triggered in Ninja Forms’ web page generation flow and is classified with a low to moderate ...

5.9CVSS5.9AI score0.0038EPSS
CVE
CVE
added 2024/04/17 9:9 a.m.85 views

CVE-2023-36505

CVE-2023-36505 affects the Ninja Forms Contact Form WordPress plugin (versions

7.2CVSS8.6AI score0.00601EPSS
CVE
CVE
added 2024/09/02 6:0 a.m.81 views

CVE-2024-7354

CVE-2024-7354 affects Ninja Forms for WordPress prior to 3.8.11. The issue is that the plugin does not escape a URL before printing it within an HTML attribute, enabling a reflected XSS attack that could target high-privilege users (e.g., admins). The NVD/NIST entry documents a CVSS 3.1 base scor...

6.1CVSS6AI score0.00662EPSS
CVE
CVE
added 2021/04/05 6:27 p.m.80 views

CVE-2021-24165

CVE-2021-24165 affects WordPress Ninja Forms plugin prior to 3.4.34. The open redirect stems from the wp_ajax_nf_oauth_connect action, using a user-supplied redirect parameter without protection. This allows redirecting users to a malicious site, with potential exposure of data or unauthorized ac...

6.1CVSS6.2AI score0.01643EPSS
CVE
CVE
added 2025/01/30 7:23 a.m.80 views

CVE-2024-13470

CVE-2024-13470 affects Ninja Forms – The Contact Form Builder That Grows With You (WordPress) and is vulnerable in all versions up to 3.8.24 due to insufficient input sanitization and output escaping on shortcode attributes. This enables a stored cross-site scripting (XSS) payload by authenticate...

6.4CVSS5.7AI score0.00297EPSS
CVE
CVE
added 2020/04/29 4:23 p.m.77 views

CVE-2020-12462

CVE-2020-12462 affects the WordPress Ninja Forms plugin prior to 3.4.24.2. Multiple sources (Red Hat, CVE/NVD, WPVulndB) describe a CSRF bug that can yield a stored XSS condition via the plugin’s import/contact features. Root cause: CSRF vulnerability exploited to inject arbitrary JavaScript. Imp...

6.1CVSS6.3AI score0.00459EPSS
CVE
CVE
added 2022/07/04 1:5 p.m.77 views

CVE-2021-25056

The CVE-2021-25056 entry concerns the WordPress Ninja Forms Contact Form plugin (pre-3.6.10). Root cause: the plugin fails to sanitize and escape field labels, allowing stored Cross-Site Scripting by high-privilege users, even when unfiltered_html is disallowed. Affected software: Ninja Forms Con...

4.8CVSS4.7AI score0.00552EPSS
CVE
CVE
added 2024/02/02 4:32 a.m.76 views

CVE-2024-0685

CVE-2024-0685 (Ninja Forms) affects the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin. Reported as a Second Order SQL Injection via the email field used in forms, in all versions up to and including 3.7.1. Root cause: insufficient escaping of the user-supplied ema...

9.8CVSS9.7AI score0.00778EPSS
CVE
CVE
added 2024/04/11 2:29 a.m.74 views

CVE-2024-25572

CVE-2024-25572 affects Ninja Forms for WordPress prior to version 3.4.31. The issue is a CSRF vulnerability: if an administrator views a malicious page while logged in, unintended operations may be performed. Affected product/version: Ninja Forms before 3.4.31. Red Hat, NVD, JVN and related sourc...

8.8CVSS6.8AI score0.00311EPSS
CVE
CVE
added 2016/05/14 3:0 p.m.72 views

CVE-2016-1209

CVE-2016-1209 affects WordPress Ninja Forms, with vulnerable versions 2.9.36 to 2.9.42 (and 2.9.42.1 as fix variants) allowing remote PHP object injection via crafted POST data, enabling unauthenticated code execution through file upload. Exploitation details are evidenced by Metasploit/Exploit-D...

9.8CVSS9.5AI score0.61612EPSS
CVE
CVE
added 2024/07/09 12:22 p.m.71 views

CVE-2024-37934

The CVE-2024-37934 entry concerns the Ninja Forms WordPress plugin. Public sources describe an improper generation of code (code injection) vulnerability that enables Arbitrary Shortcode Execution in Ninja Forms versions up to 3.8.4. Connected Red Hat/Wordfence references corroborate a vulnerabil...

9.8CVSS7.6AI score0.00467EPSS
CVE
CVE
added 2022/06/16 5:11 p.m.69 views

CVE-2021-36827

CVE-2021-36827 affects the WordPress Ninja Forms Contact Form plugin (versions ≤ 3.6.9). The vulnerability is an authenticated stored XSS via the label field, exploitable by an admin+ user. Impact is documented as a stored XSS; exploitation status is not described in these sources. The recommende...

4.8CVSS4.8AI score0.00484EPSS
CVE
CVE
added 2024/03/29 6:44 a.m.69 views

CVE-2024-2108

Technical details about CVE-2024-2108 are not publicly provided in the supplied documents. No patch version, affected product/version, root cause, or exploit specifics are present; monitor official advisories from Red Hat and WordPress/plugin vendors for updates.

5.4CVSS7.7AI score0.00343EPSS
CVE
CVE
added 2024/11/19 4:32 p.m.69 views

CVE-2024-50515

CVE-2024-50515 affects the WordPress Ninja Forms plugin (versions ≤ 3.8.16). The issue is an improper neutralization of input during page generation, leading to a Stored XSS vulnerability in Ninja Forms. According to Patchstack, the vulnerability requires Administrator privileges and is classifie...

5.9CVSS5.9AI score0.0038EPSS
CVE
CVE
added 2022/09/26 12:35 p.m.68 views

CVE-2022-2903

The CVE-2022-2903 entry corresponds to the WordPress Ninja Forms Contact Form plugin (versions before 3.6.13). The vulnerability is described as insecure deserialization: importing a malicious file can lead to PHP object injection if a suitable gadget chain exists on the site. Impact is documente...

7.2CVSS7AI score0.0108EPSS
CVE
CVE
added 2024/09/17 11:14 p.m.68 views

CVE-2024-43999

CVE-2024-43999 pertains to Ninja Forms (WordPress plugin) prior to or equal to 3.8.11 and is described as a Stored XSS vulnerability caused by improper input neutralization during web page generation. The CVE details indicate the issue affects Ninja Forms: from n/a through 3.8.11, with CVSSv3.1 b...

5.9CVSS5.7AI score0.00297EPSS
CVE
CVE
added 2024/03/29 6:43 a.m.65 views

CVE-2024-2113

CVE-2024-2113 affects Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress up to version 3.8.0. The vulnerability arises from missing or incorrect nonce validation on the nf_download_all_subs AJAX action, enabling unauthenticated attackers to trigger exporting a form’s submissi...

4.3CVSS5.2AI score0.00237EPSS
CVE
CVE
added 2024/04/11 2:29 a.m.65 views

CVE-2024-29220

CVE-2024-29220 affects Ninja Forms (WordPress) prior to 3.8.1. The issue is a cross-site scripting (XSS) vulnerability in the labels of custom fields, allowing an attacker to cause arbitrary script execution in a user’s browser when visiting a site using the product. Public references confirm the...

6.1CVSS6.2AI score0.00454EPSS
CVE
CVE
added 2021/01/06 2:31 p.m.63 views

CVE-2020-36174

CVE-2020-36174 affects the WordPress Ninja Forms plugin prior to version 3.4.27.1. The vulnerability is CSRF through the plugin’s services integration, enabling an attacker to trigger actions on behalf of an authenticated user. Public sources in the connected set corroborate that this issue is ro...

6.5CVSS6.5AI score0.00593EPSS
CVE
CVE
added 2021/09/22 5:53 p.m.63 views

CVE-2021-34648

The CVE-2021-34648 issue affects the WordPress Ninja Forms plugin (up to version 3.5.7). The vulnerability arises from an unprotected REST API endpoint, specifically /ninja-forms-submissions/email-action, where the trigger_email_action function in includes/Routes/Submissions.php can be invoked by...

6.4CVSS4.7AI score0.00636EPSS
CVE
CVE
added 2024/08/26 8:58 p.m.63 views

CVE-2024-39628

CVE-2024-39628 describes a CSRF vulnerability in the Ninja Forms WordPress plugin affecting versions

8.8CVSS7AI score0.0019EPSS
CVE
CVE
added 2025/05/19 6:0 a.m.63 views

CVE-2025-2560

The CVE-2025-2560 entry concerns Ninja Forms for WordPress prior to version 3.10.1. Public sources confirm the issue: settings are not properly sanitised/escaped, enabling Stored Cross-Site Scripting by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (such as in multis...

4.8CVSS5.4AI score0.00214EPSS
CVE
CVE
added 2022/07/04 1:5 p.m.62 views

CVE-2021-25066

CVE-2021-25066 affects the WordPress Ninja Forms Contact Form plugin (prior to 3.6.10). The root cause is failure to sanitize/escape some imported data, enabling stored Cross-Site Scripting by high-privilege users even when unfiltered_html is disallowed. The impact is stored XSS within the plugin...

4.8CVSS4.6AI score0.00552EPSS
CVE
CVE
added 2015/03/05 4:0 p.m.61 views

CVE-2015-2220

The CVE-2015-2220 entry concerns the WordPress Ninja Forms plugin with XSS vulnerabilities in versions before 2.8.9. Two vectors are reported: (1) via ninja_forms_field_1 in a ninja_forms_ajax_submit action to wp-admin/admin-ajax.php, and (2) via fields[1] in wp-admin/post.php. These permit remot...

4.3CVSS5.9AI score0.02041EPSS
CVE
CVE
added 2024/04/11 2:29 a.m.60 views

CVE-2024-26019

CVE-2024-26019 affects Ninja Forms (WordPress) prior to 3.8.1, enabling a cross‑site scripting (XSS) vulnerability in submit processing. Exploitation could cause arbitrary JavaScript execution in the web browser of a user visiting the affected site. The root cause is insufficient input sanitizati...

5.4CVSS6.1AI score0.00532EPSS
CVE
CVE
added 2021/04/05 6:27 p.m.57 views

CVE-2021-24163

The CVE-2021-24163 issue affects the WordPress plugin Ninja Forms (The Drag and Drop Form Builder) prior to version 3.4.34. The vulnerability is in the AJAX action wp_ajax_ninja_forms_sendwp_remote_install_handler, which lacks capability checks and nonce protection, enabling low-privilege users (...

8.8CVSS8.7AI score0.01439EPSS
CVE
CVE
added 2021/11/29 8:25 a.m.57 views

CVE-2021-24889

The CVE refers to WordPress Ninja Forms Contact Form plugin. Up to version 3.6.3 (3.6.4 fixes) the vulnerability stems from not escaping keys of POST parameters, enabling SQL injection by high-privilege users. Affected product: Ninja Forms Contact Form WordPress plugin. Root cause: missing escapi...

7.2CVSS7AI score0.01275EPSS
CVE
CVE
added 2021/09/22 5:53 p.m.57 views

CVE-2021-34647

The CVE-2021-34647 entry documents a vulnerability in the WordPress Ninja Forms plugin (versions up to and including 3.5.7) where an authenticated user can access the REST API endpoint /ninja-forms-submissions/export to export all submissions, potentially exposing PII. The root cause is a lack of...

6.5CVSS6.1AI score0.01122EPSS
CVE
CVE
added 2021/04/05 6:27 p.m.56 views

CVE-2021-24164

CVE-2021-24164 affects the Ninja Forms Contact Form WordPress plugin up to version 3.4.34.1. The vulnerability allows low-privilege authenticated users (e.g., subscribers) to trigger the wp_ajax_nf_oauth action and disclose sensitive OAuth data, including the connection URL needed to establish a ...

4.3CVSS4.6AI score0.00889EPSS
CVE
CVE
added 2019/08/22 12:40 p.m.55 views

CVE-2018-20981

CVE-2018-20981 affects the WordPress Ninja Forms plugin prior to version 3.3.9. The issue is described as insufficient restrictions on submission-data retrieval during Export Personal Data requests, which could enable access to personal data during the export process. The available connected docu...

9.1CVSS9.2AI score0.01744EPSS
CVE
CVE
added 2021/04/05 6:27 p.m.54 views

CVE-2021-24166

Affected software: WordPress plugin Ninja Forms – Drag and Drop Form Builder. Vulnerability: CSRF to OAuth service disconnection in wp_ajax_nf_oauth_disconnect due to no nonce protection in versions before 3.4.34. Impact: unauthorized user can craft requests to disconnect a site’s OAuth connectio...

5.8CVSS5.5AI score0.00458EPSS
CVE
CVE
added 2019/08/22 12:42 p.m.52 views

CVE-2017-18574

The CVE refers to the Ninja Forms WordPress plugin (before version 3.0.31) with insufficient HTML escaping in the builder, leading to an XSS vulnerability. Affected: Ninja Forms plugin for WordPress; root cause: inadequate escaping in the builder component. Impact: cross-site scripting potential;...

6.1CVSS6.3AI score0.00915EPSS
CVE
CVE
added 2018/09/01 6:0 p.m.52 views

CVE-2018-16308

CVE-2018-16308 — CSV Injection in WordPress Ninja Forms is a vulnerability in the Ninja Forms plugin for WordPress, affecting versions before 3.3.14.1. The issue is a CSV injection flaw in the plugin’s handling of form data exported to CSV. The CVSS metrics indicate a high impact when exploited l...

8.6CVSS8.8AI score0.0179EPSS
CVE
CVE
added 2021/01/06 2:32 p.m.51 views

CVE-2020-36173

The CVE-2020-36173 entry concerns the WordPress Ninja Forms plugin before version 3.4.28. Connected sources confirm a vulnerability in the submissions-table fields due to missing escaping, allowing potential Cross‑Site Scripting (XSS). The core issue is improper escaping of HTML content in submis...

5.3CVSS5.3AI score0.01117EPSS
CVE
CVE
added 2021/01/06 2:31 p.m.50 views

CVE-2020-36175

The CVE-2020-36175 entry concerns the WordPress Ninja Forms plugin prior to version 3.4.27.1. Connected documents confirm a vulnerability where the email field can bypass validation, enabling input that should be rejected by the form’s validation logic. The affected component is the Ninja Forms W...

5.3CVSS5.6AI score0.01183EPSS
CVE
CVE
added 2025/05/19 6:0 a.m.50 views

CVE-2025-2524

CVE-2025-2524 concerns Ninja Forms for WordPress: versions before 3.10.1 allow Stored XSS by high-privilege users (e.g., admins) due to insufficient sanitisation/escaping of certain settings, even when unfiltered_html is disallowed (e.g., multisite). Impact is admin-level stored XSS, with no publ...

4.8CVSS5.4AI score0.00278EPSS
CVE
CVE
added 2023/12/07 11:15 a.m.49 views

CVE-2023-35909

CVE-2023-35909 affects the Ninja Forms Contact Form (Ninja Forms) WordPress plugin, specifically versions up to 3.6.25. It is an Uncontrolled Resource Consumption vulnerability that can cause a Denial of Service (DoS) and is exploitable without authentication via large form submissions. CVSS v3.1...

5.3CVSS6.8AI score0.00636EPSS
CVE
CVE
added 2023/11/06 8:41 p.m.48 views

CVE-2023-5530

CVE-2023-5530 affects the WordPress plugin Ninja Forms Contact Form, version prior to 3.6.34. The issue is that label fields are not sanitized/escaped, potentially allowing Stored XSS by high-privilege users (admin) who have unfiltered_html, a capability they already possess. The vulnerability is...

4.8CVSS4.7AI score0.0062EPSS
CVE
CVE
added 2018/12/03 6:0 a.m.47 views

CVE-2018-19796

CVE-2018-19796 – Open Redirect in Ninja Forms (WordPress) . Affected software: WordPress Ninja Forms plugin versions before 3.3.19.1. Component: lib/StepProcessing/step-processing.php (submission/download page). Root cause: improper handling of the redirect parameter enables remote attackers to r...

6.1CVSS6.3AI score0.01581EPSS
CVE
CVE
added 2018/02/21 4:0 p.m.46 views

CVE-2018-7280

CVE-2018-7280 affects the WordPress Ninja Forms plugin prior to 3.2.14 (i.e., versions

6.1CVSS6.3AI score0.00775EPSS
CVE
CVE
added 2019/08/22 12:37 p.m.45 views

CVE-2018-20980

CVE-2018-20980 affects the Ninja Forms plugin for WordPress prior to version 3.2.15, with a parameter tampering vulnerability. The NVD metrics indicate a CVSS-3 base score of 7.5 (HIGH), driven by network attack vector, low complexity, no privileges required, but impact on integrity is HIGH while...

7.5CVSS7.6AI score0.01392EPSS
CVE
CVE
added 2015/03/05 4:0 p.m.43 views

CVE-2014-9688

CVE-2014-9688 concerns the Ninja Forms WordPress plugin, specifically versions before 2.8.10. The connected sources describe an unspecified vulnerability with unknown impact and remote attack vectors related to admin users. The NVD metrics indicate partial confidentiality, integrity, and availabi...

7.5CVSS6.8AI score0.02017EPSS
Total number of security vulnerabilities57