45 matches found
CVE-2023-37979
The CVE-2023-37979 entry maps to the Ninja Forms WordPress plugin with reflected XSS in versions
CVE-2023-1835
The CVE-2023-1835 entry concerns the Ninja Forms Contact Form WordPress plugin prior to 3.6.22. The connected documents provide concrete details: the vulnerability is a Reflected Cross-Site Scripting caused by insufficient input sanitization and output escaping, exposed via the page parameter and...
CVE-2023-38386
CVE-2023-38386 affects the WordPress Ninja Forms plugin, specifically versions up to 3.6.25, due to a Missing Authorization/Broken Access Control issue in the form submissions export feature. Root cause involves insufficient access restrictions allowing certain users to export submissions. The CV...
CVE-2024-3866
CVE-2024-3866 refers to the Ninja Forms Contact Form plugin for WordPress, vulnerable up to version 3.8.15. The issue is a Reflected Self-Based Cross-Site Scripting via the Referer header caused by insufficient input sanitization and output escaping. It can allow unauthenticated attackers to inje...
CVE-2024-12238
CVE-2024-12238 affects the WordPress plugin Ninja Forms – The Contact Form Builder That Grows With You. The vulnerability allows arbitrary shortcode execution in all versions up to and including 3.8.22 due to insufficient validation when do_shortcode is executed. This enables authenticated attack...
CVE-2024-11052
CVE-2024-11052 affects Ninja Forms – The Contact Form Builder That Grows With You (WordPress). In all versions up to 3.8.19, the plugin is vulnerable to Stored Cross‑Site Scripting via the calculations parameter due to insufficient input sanitization and output escaping, enabling unauthenticated ...
CVE-2023-36505
CVE-2023-36505 affects the Ninja Forms Contact Form WordPress plugin (versions
CVE-2024-13470
CVE-2024-13470 affects Ninja Forms – The Contact Form Builder That Grows With You (WordPress) and is vulnerable in all versions up to 3.8.24 due to insufficient input sanitization and output escaping on shortcode attributes. This enables a stored cross-site scripting (XSS) payload by authenticate...
CVE-2021-24165
CVE-2021-24165 affects WordPress Ninja Forms plugin prior to 3.4.34. The open redirect stems from the wp_ajax_nf_oauth_connect action, using a user-supplied redirect parameter without protection. This allows redirecting users to a malicious site, with potential exposure of data or unauthorized ac...
CVE-2020-12462
CVE-2020-12462 affects the WordPress Ninja Forms plugin prior to 3.4.24.2. Multiple sources (Red Hat, CVE/NVD, WPVulndB) describe a CSRF bug that can yield a stored XSS condition via the plugin’s import/contact features. Root cause: CSRF vulnerability exploited to inject arbitrary JavaScript. Imp...
CVE-2021-25056
The CVE-2021-25056 entry concerns the WordPress Ninja Forms Contact Form plugin (pre-3.6.10). Root cause: the plugin fails to sanitize and escape field labels, allowing stored Cross-Site Scripting by high-privilege users, even when unfiltered_html is disallowed. Affected software: Ninja Forms Con...
CVE-2024-25572
CVE-2024-25572 affects Ninja Forms for WordPress prior to version 3.4.31. The issue is a CSRF vulnerability: if an administrator views a malicious page while logged in, unintended operations may be performed. Affected product/version: Ninja Forms before 3.4.31. Red Hat, NVD, JVN and related sourc...
CVE-2024-37934
The CVE-2024-37934 entry concerns the Ninja Forms WordPress plugin. Public sources describe an improper generation of code (code injection) vulnerability that enables Arbitrary Shortcode Execution in Ninja Forms versions up to 3.8.4. Connected Red Hat/Wordfence references corroborate a vulnerabil...
CVE-2022-2903
The CVE-2022-2903 entry corresponds to the WordPress Ninja Forms Contact Form plugin (versions before 3.6.13). The vulnerability is described as insecure deserialization: importing a malicious file can lead to PHP object injection if a suitable gadget chain exists on the site. Impact is documente...
CVE-2024-2108
Technical details about CVE-2024-2108 are not publicly provided in the supplied documents. No patch version, affected product/version, root cause, or exploit specifics are present; monitor official advisories from Red Hat and WordPress/plugin vendors for updates.
CVE-2024-43999
CVE-2024-43999 pertains to Ninja Forms (WordPress plugin) prior to or equal to 3.8.11 and is described as a Stored XSS vulnerability caused by improper input neutralization during web page generation. The CVE details indicate the issue affects Ninja Forms: from n/a through 3.8.11, with CVSSv3.1 b...
CVE-2024-29220
CVE-2024-29220 affects Ninja Forms (WordPress) prior to 3.8.1. The issue is a cross-site scripting (XSS) vulnerability in the labels of custom fields, allowing an attacker to cause arbitrary script execution in a user’s browser when visiting a site using the product. Public references confirm the...
CVE-2025-2560
The CVE-2025-2560 entry concerns Ninja Forms for WordPress prior to version 3.10.1. Public sources confirm the issue: settings are not properly sanitised/escaped, enabling Stored Cross-Site Scripting by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (such as in multis...
CVE-2024-2113
CVE-2024-2113 affects Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress up to version 3.8.0. The vulnerability arises from missing or incorrect nonce validation on the nf_download_all_subs AJAX action, enabling unauthenticated attackers to trigger exporting a form’s submissi...
CVE-2020-36174
CVE-2020-36174 affects the WordPress Ninja Forms plugin prior to version 3.4.27.1. The vulnerability is CSRF through the plugin’s services integration, enabling an attacker to trigger actions on behalf of an authenticated user. Public sources in the connected set corroborate that this issue is ro...
CVE-2024-39628
CVE-2024-39628 describes a CSRF vulnerability in the Ninja Forms WordPress plugin affecting versions
CVE-2021-25066
CVE-2021-25066 affects the WordPress Ninja Forms Contact Form plugin (prior to 3.6.10). The root cause is failure to sanitize/escape some imported data, enabling stored Cross-Site Scripting by high-privilege users even when unfiltered_html is disallowed. The impact is stored XSS within the plugin...
CVE-2024-26019
CVE-2024-26019 affects Ninja Forms (WordPress) prior to 3.8.1, enabling a cross‑site scripting (XSS) vulnerability in submit processing. Exploitation could cause arbitrary JavaScript execution in the web browser of a user visiting the affected site. The root cause is insufficient input sanitizati...
CVE-2021-24889
The CVE refers to WordPress Ninja Forms Contact Form plugin. Up to version 3.6.3 (3.6.4 fixes) the vulnerability stems from not escaping keys of POST parameters, enabling SQL injection by high-privilege users. Affected product: Ninja Forms Contact Form WordPress plugin. Root cause: missing escapi...
CVE-2021-24163
The CVE-2021-24163 issue affects the WordPress plugin Ninja Forms (The Drag and Drop Form Builder) prior to version 3.4.34. The vulnerability is in the AJAX action wp_ajax_ninja_forms_sendwp_remote_install_handler, which lacks capability checks and nonce protection, enabling low-privilege users (...
CVE-2018-20981
CVE-2018-20981 affects the WordPress Ninja Forms plugin prior to version 3.3.9. The issue is described as insufficient restrictions on submission-data retrieval during Export Personal Data requests, which could enable access to personal data during the export process. The available connected docu...
CVE-2021-24164
CVE-2021-24164 affects the Ninja Forms Contact Form WordPress plugin up to version 3.4.34.1. The vulnerability allows low-privilege authenticated users (e.g., subscribers) to trigger the wp_ajax_nf_oauth action and disclose sensitive OAuth data, including the connection URL needed to establish a ...
CVE-2021-24166
Affected software: WordPress plugin Ninja Forms – Drag and Drop Form Builder. Vulnerability: CSRF to OAuth service disconnection in wp_ajax_nf_oauth_disconnect due to no nonce protection in versions before 3.4.34. Impact: unauthorized user can craft requests to disconnect a site’s OAuth connectio...
CVE-2018-16308
CVE-2018-16308 — CSV Injection in WordPress Ninja Forms is a vulnerability in the Ninja Forms plugin for WordPress, affecting versions before 3.3.14.1. The issue is a CSV injection flaw in the plugin’s handling of form data exported to CSV. The CVSS metrics indicate a high impact when exploited l...
CVE-2017-18574
The CVE refers to the Ninja Forms WordPress plugin (before version 3.0.31) with insufficient HTML escaping in the builder, leading to an XSS vulnerability. Affected: Ninja Forms plugin for WordPress; root cause: inadequate escaping in the builder component. Impact: cross-site scripting potential;...
CVE-2020-36173
The CVE-2020-36173 entry concerns the WordPress Ninja Forms plugin before version 3.4.28. Connected sources confirm a vulnerability in the submissions-table fields due to missing escaping, allowing potential Cross‑Site Scripting (XSS). The core issue is improper escaping of HTML content in submis...
CVE-2023-35909
CVE-2023-35909 affects the Ninja Forms Contact Form (Ninja Forms) WordPress plugin, specifically versions up to 3.6.25. It is an Uncontrolled Resource Consumption vulnerability that can cause a Denial of Service (DoS) and is exploitable without authentication via large form submissions. CVSS v3.1...
CVE-2025-2524
CVE-2025-2524 concerns Ninja Forms for WordPress: versions before 3.10.1 allow Stored XSS by high-privilege users (e.g., admins) due to insufficient sanitisation/escaping of certain settings, even when unfiltered_html is disallowed (e.g., multisite). Impact is admin-level stored XSS, with no publ...
CVE-2020-36175
The CVE-2020-36175 entry concerns the WordPress Ninja Forms plugin prior to version 3.4.27.1. Connected documents confirm a vulnerability where the email field can bypass validation, enabling input that should be rejected by the form’s validation logic. The affected component is the Ninja Forms W...
CVE-2018-19796
CVE-2018-19796 – Open Redirect in Ninja Forms (WordPress) . Affected software: WordPress Ninja Forms plugin versions before 3.3.19.1. Component: lib/StepProcessing/step-processing.php (submission/download page). Root cause: improper handling of the redirect parameter enables remote attackers to r...
CVE-2023-5530
CVE-2023-5530 affects the WordPress plugin Ninja Forms Contact Form, version prior to 3.6.34. The issue is that label fields are not sanitized/escaped, potentially allowing Stored XSS by high-privilege users (admin) who have unfiltered_html, a capability they already possess. The vulnerability is...
CVE-2018-7280
CVE-2018-7280 affects the WordPress Ninja Forms plugin prior to 3.2.14 (i.e., versions
CVE-2018-20980
CVE-2018-20980 affects the Ninja Forms plugin for WordPress prior to version 3.2.15, with a parameter tampering vulnerability. The NVD metrics indicate a CVSS-3 base score of 7.5 (HIGH), driven by network attack vector, low complexity, no privileges required, but impact on integrity is HIGH while...
CVE-2025-2561
The CVE-2025-2561 entry concerns the Ninja Forms WordPress plugin prior to 3.10.1. The issue is a Stored Cross-Site Scripting (XSS) flaw caused by insufficient sanitisation/escaping of certain plugin settings, enabling high-privilege users (e.g., admins) to inject scripts even when unfiltered_htm...
CVE-2025-5398
CVE-2025-5398 affects Ninja Forms – The Contact Form Builder That Grows With You (WordPress plugin). The CVE describes a Stored Cross-Site Scripting (CSTI) vulnerability due to insufficient output escaping in the templating engine, impacting all versions up to and including 3.10.2.1. Exploitation...
CVE-2025-9083
CVE-2025-9083 affects Ninja Forms for WordPress (pre-3.11.1). The vulnerability arises from unserializing user input in a form field, enabling unauthenticated PHP Object Injection when a suitable gadget exists on the blog. Remediation: upgrade Ninja Forms to version 3.11.1 or later (patched in so...
CVE-2025-10499
CVE-2025-10499 : The WordPress plugin Ninja Forms – The Contact Form Builder That Grows With You (up to version 3.12.0) is vulnerable to a Cross‑Site Request Forgery (CSRF) due to missing/incorrect nonce validation in the maybe_opt_in() function. This allows unauthenticated attackers to trigger e...
CVE-2025-10498
CVE-2025-10498 affects Ninja Forms for WordPress (
CVE-2025-14072
CVE-2025-14072 concerns the Ninja Forms WordPress plugin prior to 3.13.3, where an unauthenticated REST API flow can generate valid access tokens that read form submissions. The issue is confirmed in multiple sources (Red Hat RH: Ninja Forms <3.13.3; NVD/NVD listings; CVE records) and is descr...
CVE-2025-11924
The CVE-2025-11924 entry concerns Ninja Forms – The Contact Form Builder That Grows With You for WordPress (versions up to and including 3.13.2). Affected component: the ninja-forms-views REST endpoints. Root cause: insufficient authorization checks allow an unauthenticated attacker to read arbit...