57 matches found
CVE-2020-8594
The CVE-2020-8594 entry describes a stored XSS vulnerability in the WordPress Ninja Forms plugin, affecting version 3.4.22 (and earlier). The issue is triggered via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format], with r...
CVE-2023-37979
The CVE-2023-37979 entry maps to the Ninja Forms WordPress plugin with reflected XSS in versions
CVE-2023-1835
The CVE-2023-1835 entry concerns the Ninja Forms Contact Form WordPress plugin prior to 3.6.22. The connected documents provide concrete details: the vulnerability is a Reflected Cross-Site Scripting caused by insufficient input sanitization and output escaping, exposed via the page parameter and...
CVE-2023-38386
CVE-2023-38386 affects the WordPress Ninja Forms plugin, specifically versions up to 3.6.25, due to a Missing Authorization/Broken Access Control issue in the form submissions export feature. Root cause involves insufficient access restrictions allowing certain users to export submissions. The CV...
CVE-2024-3866
CVE-2024-3866 refers to the Ninja Forms Contact Form plugin for WordPress, vulnerable up to version 3.8.15. The issue is a Reflected Self-Based Cross-Site Scripting via the Referer header caused by insufficient input sanitization and output escaping. It can allow unauthenticated attackers to inje...
CVE-2023-38393
CVE-2023-38393 is a vulnerability in WordPress Ninja Forms plugin versions ≤ 3.6.25, described as Missing Authorization / Broken Access Control. The issue permits a user with Subscriber/Contributor roles to perform an unauthorized action (export of all Ninja Forms submissions) due to a broken acc...
CVE-2024-12238
CVE-2024-12238 affects the WordPress plugin Ninja Forms – The Contact Form Builder That Grows With You. The vulnerability allows arbitrary shortcode execution in all versions up to and including 3.8.22 due to insufficient validation when do_shortcode is executed. This enables authenticated attack...
CVE-2024-11052
CVE-2024-11052 affects Ninja Forms – The Contact Form Builder That Grows With You (WordPress). In all versions up to 3.8.19, the plugin is vulnerable to Stored Cross‑Site Scripting via the calculations parameter due to insufficient input sanitization and output escaping, enabling unauthenticated ...
CVE-2024-50514
CVE-2024-50514 affects WordPress Ninja Forms plugin versions up to and including 3.8.16, with an improper neutralization of input during page generation leading to a stored XSS vulnerability. The issue is triggered in Ninja Forms’ web page generation flow and is classified with a low to moderate ...
CVE-2023-36505
CVE-2023-36505 affects the Ninja Forms Contact Form WordPress plugin (versions
CVE-2024-7354
CVE-2024-7354 affects Ninja Forms for WordPress prior to 3.8.11. The issue is that the plugin does not escape a URL before printing it within an HTML attribute, enabling a reflected XSS attack that could target high-privilege users (e.g., admins). The NVD/NIST entry documents a CVSS 3.1 base scor...
CVE-2021-24165
CVE-2021-24165 affects WordPress Ninja Forms plugin prior to 3.4.34. The open redirect stems from the wp_ajax_nf_oauth_connect action, using a user-supplied redirect parameter without protection. This allows redirecting users to a malicious site, with potential exposure of data or unauthorized ac...
CVE-2024-13470
CVE-2024-13470 affects Ninja Forms – The Contact Form Builder That Grows With You (WordPress) and is vulnerable in all versions up to 3.8.24 due to insufficient input sanitization and output escaping on shortcode attributes. This enables a stored cross-site scripting (XSS) payload by authenticate...
CVE-2020-12462
CVE-2020-12462 affects the WordPress Ninja Forms plugin prior to 3.4.24.2. Multiple sources (Red Hat, CVE/NVD, WPVulndB) describe a CSRF bug that can yield a stored XSS condition via the plugin’s import/contact features. Root cause: CSRF vulnerability exploited to inject arbitrary JavaScript. Imp...
CVE-2021-25056
The CVE-2021-25056 entry concerns the WordPress Ninja Forms Contact Form plugin (pre-3.6.10). Root cause: the plugin fails to sanitize and escape field labels, allowing stored Cross-Site Scripting by high-privilege users, even when unfiltered_html is disallowed. Affected software: Ninja Forms Con...
CVE-2024-0685
CVE-2024-0685 (Ninja Forms) affects the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin. Reported as a Second Order SQL Injection via the email field used in forms, in all versions up to and including 3.7.1. Root cause: insufficient escaping of the user-supplied ema...
CVE-2024-25572
CVE-2024-25572 affects Ninja Forms for WordPress prior to version 3.4.31. The issue is a CSRF vulnerability: if an administrator views a malicious page while logged in, unintended operations may be performed. Affected product/version: Ninja Forms before 3.4.31. Red Hat, NVD, JVN and related sourc...
CVE-2016-1209
CVE-2016-1209 affects WordPress Ninja Forms, with vulnerable versions 2.9.36 to 2.9.42 (and 2.9.42.1 as fix variants) allowing remote PHP object injection via crafted POST data, enabling unauthenticated code execution through file upload. Exploitation details are evidenced by Metasploit/Exploit-D...
CVE-2024-37934
The CVE-2024-37934 entry concerns the Ninja Forms WordPress plugin. Public sources describe an improper generation of code (code injection) vulnerability that enables Arbitrary Shortcode Execution in Ninja Forms versions up to 3.8.4. Connected Red Hat/Wordfence references corroborate a vulnerabil...
CVE-2021-36827
CVE-2021-36827 affects the WordPress Ninja Forms Contact Form plugin (versions ≤ 3.6.9). The vulnerability is an authenticated stored XSS via the label field, exploitable by an admin+ user. Impact is documented as a stored XSS; exploitation status is not described in these sources. The recommende...
CVE-2024-2108
Technical details about CVE-2024-2108 are not publicly provided in the supplied documents. No patch version, affected product/version, root cause, or exploit specifics are present; monitor official advisories from Red Hat and WordPress/plugin vendors for updates.
CVE-2024-50515
CVE-2024-50515 affects the WordPress Ninja Forms plugin (versions ≤ 3.8.16). The issue is an improper neutralization of input during page generation, leading to a Stored XSS vulnerability in Ninja Forms. According to Patchstack, the vulnerability requires Administrator privileges and is classifie...
CVE-2022-2903
The CVE-2022-2903 entry corresponds to the WordPress Ninja Forms Contact Form plugin (versions before 3.6.13). The vulnerability is described as insecure deserialization: importing a malicious file can lead to PHP object injection if a suitable gadget chain exists on the site. Impact is documente...
CVE-2024-43999
CVE-2024-43999 pertains to Ninja Forms (WordPress plugin) prior to or equal to 3.8.11 and is described as a Stored XSS vulnerability caused by improper input neutralization during web page generation. The CVE details indicate the issue affects Ninja Forms: from n/a through 3.8.11, with CVSSv3.1 b...
CVE-2024-2113
CVE-2024-2113 affects Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress up to version 3.8.0. The vulnerability arises from missing or incorrect nonce validation on the nf_download_all_subs AJAX action, enabling unauthenticated attackers to trigger exporting a form’s submissi...
CVE-2024-29220
CVE-2024-29220 affects Ninja Forms (WordPress) prior to 3.8.1. The issue is a cross-site scripting (XSS) vulnerability in the labels of custom fields, allowing an attacker to cause arbitrary script execution in a user’s browser when visiting a site using the product. Public references confirm the...
CVE-2020-36174
CVE-2020-36174 affects the WordPress Ninja Forms plugin prior to version 3.4.27.1. The vulnerability is CSRF through the plugin’s services integration, enabling an attacker to trigger actions on behalf of an authenticated user. Public sources in the connected set corroborate that this issue is ro...
CVE-2021-34648
The CVE-2021-34648 issue affects the WordPress Ninja Forms plugin (up to version 3.5.7). The vulnerability arises from an unprotected REST API endpoint, specifically /ninja-forms-submissions/email-action, where the trigger_email_action function in includes/Routes/Submissions.php can be invoked by...
CVE-2024-39628
CVE-2024-39628 describes a CSRF vulnerability in the Ninja Forms WordPress plugin affecting versions
CVE-2025-2560
The CVE-2025-2560 entry concerns Ninja Forms for WordPress prior to version 3.10.1. Public sources confirm the issue: settings are not properly sanitised/escaped, enabling Stored Cross-Site Scripting by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (such as in multis...
CVE-2021-25066
CVE-2021-25066 affects the WordPress Ninja Forms Contact Form plugin (prior to 3.6.10). The root cause is failure to sanitize/escape some imported data, enabling stored Cross-Site Scripting by high-privilege users even when unfiltered_html is disallowed. The impact is stored XSS within the plugin...
CVE-2015-2220
The CVE-2015-2220 entry concerns the WordPress Ninja Forms plugin with XSS vulnerabilities in versions before 2.8.9. Two vectors are reported: (1) via ninja_forms_field_1 in a ninja_forms_ajax_submit action to wp-admin/admin-ajax.php, and (2) via fields[1] in wp-admin/post.php. These permit remot...
CVE-2024-26019
CVE-2024-26019 affects Ninja Forms (WordPress) prior to 3.8.1, enabling a cross‑site scripting (XSS) vulnerability in submit processing. Exploitation could cause arbitrary JavaScript execution in the web browser of a user visiting the affected site. The root cause is insufficient input sanitizati...
CVE-2021-24163
The CVE-2021-24163 issue affects the WordPress plugin Ninja Forms (The Drag and Drop Form Builder) prior to version 3.4.34. The vulnerability is in the AJAX action wp_ajax_ninja_forms_sendwp_remote_install_handler, which lacks capability checks and nonce protection, enabling low-privilege users (...
CVE-2021-24889
The CVE refers to WordPress Ninja Forms Contact Form plugin. Up to version 3.6.3 (3.6.4 fixes) the vulnerability stems from not escaping keys of POST parameters, enabling SQL injection by high-privilege users. Affected product: Ninja Forms Contact Form WordPress plugin. Root cause: missing escapi...
CVE-2021-34647
The CVE-2021-34647 entry documents a vulnerability in the WordPress Ninja Forms plugin (versions up to and including 3.5.7) where an authenticated user can access the REST API endpoint /ninja-forms-submissions/export to export all submissions, potentially exposing PII. The root cause is a lack of...
CVE-2021-24164
CVE-2021-24164 affects the Ninja Forms Contact Form WordPress plugin up to version 3.4.34.1. The vulnerability allows low-privilege authenticated users (e.g., subscribers) to trigger the wp_ajax_nf_oauth action and disclose sensitive OAuth data, including the connection URL needed to establish a ...
CVE-2018-20981
CVE-2018-20981 affects the WordPress Ninja Forms plugin prior to version 3.3.9. The issue is described as insufficient restrictions on submission-data retrieval during Export Personal Data requests, which could enable access to personal data during the export process. The available connected docu...
CVE-2021-24166
Affected software: WordPress plugin Ninja Forms – Drag and Drop Form Builder. Vulnerability: CSRF to OAuth service disconnection in wp_ajax_nf_oauth_disconnect due to no nonce protection in versions before 3.4.34. Impact: unauthorized user can craft requests to disconnect a site’s OAuth connectio...
CVE-2017-18574
The CVE refers to the Ninja Forms WordPress plugin (before version 3.0.31) with insufficient HTML escaping in the builder, leading to an XSS vulnerability. Affected: Ninja Forms plugin for WordPress; root cause: inadequate escaping in the builder component. Impact: cross-site scripting potential;...
CVE-2018-16308
CVE-2018-16308 — CSV Injection in WordPress Ninja Forms is a vulnerability in the Ninja Forms plugin for WordPress, affecting versions before 3.3.14.1. The issue is a CSV injection flaw in the plugin’s handling of form data exported to CSV. The CVSS metrics indicate a high impact when exploited l...
CVE-2020-36173
The CVE-2020-36173 entry concerns the WordPress Ninja Forms plugin before version 3.4.28. Connected sources confirm a vulnerability in the submissions-table fields due to missing escaping, allowing potential Cross‑Site Scripting (XSS). The core issue is improper escaping of HTML content in submis...
CVE-2020-36175
The CVE-2020-36175 entry concerns the WordPress Ninja Forms plugin prior to version 3.4.27.1. Connected documents confirm a vulnerability where the email field can bypass validation, enabling input that should be rejected by the form’s validation logic. The affected component is the Ninja Forms W...
CVE-2025-2524
CVE-2025-2524 concerns Ninja Forms for WordPress: versions before 3.10.1 allow Stored XSS by high-privilege users (e.g., admins) due to insufficient sanitisation/escaping of certain settings, even when unfiltered_html is disallowed (e.g., multisite). Impact is admin-level stored XSS, with no publ...
CVE-2023-35909
CVE-2023-35909 affects the Ninja Forms Contact Form (Ninja Forms) WordPress plugin, specifically versions up to 3.6.25. It is an Uncontrolled Resource Consumption vulnerability that can cause a Denial of Service (DoS) and is exploitable without authentication via large form submissions. CVSS v3.1...
CVE-2023-5530
CVE-2023-5530 affects the WordPress plugin Ninja Forms Contact Form, version prior to 3.6.34. The issue is that label fields are not sanitized/escaped, potentially allowing Stored XSS by high-privilege users (admin) who have unfiltered_html, a capability they already possess. The vulnerability is...
CVE-2018-19796
CVE-2018-19796 – Open Redirect in Ninja Forms (WordPress) . Affected software: WordPress Ninja Forms plugin versions before 3.3.19.1. Component: lib/StepProcessing/step-processing.php (submission/download page). Root cause: improper handling of the redirect parameter enables remote attackers to r...
CVE-2018-7280
CVE-2018-7280 affects the WordPress Ninja Forms plugin prior to 3.2.14 (i.e., versions
CVE-2018-20980
CVE-2018-20980 affects the Ninja Forms plugin for WordPress prior to version 3.2.15, with a parameter tampering vulnerability. The NVD metrics indicate a CVSS-3 base score of 7.5 (HIGH), driven by network attack vector, low complexity, no privileges required, but impact on integrity is HIGH while...
CVE-2014-9688
CVE-2014-9688 concerns the Ninja Forms WordPress plugin, specifically versions before 2.8.10. The connected sources describe an unspecified vulnerability with unknown impact and remote attack vectors related to admin users. The NVD metrics indicate partial confidentiality, integrity, and availabi...