Ninja Forms@* Security Vulnerabilities and Issues — Ninja Forms@* CVE List

Improper Input Validation vulnerability in Saturday Drive Ninja Forms Contact Form.This issue affects Ninja Forms Contact Form : from n/a through 3.6.24.

7.2CVSS6.8AI score0.00394EPSS

CVE•added 2023/05/15 1:15 p.m.•72 views

CVE-2023-1835

The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1CVSS6.1AI score0.1176EPSS

CVE•added 2024/02/02 5:15 a.m.•64 views

CVE-2024-0685

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Second Order SQL Injection via the email address value submitted through forms in all versions up to, and including, 3.7.1 due to insufficient escaping on the user supplied parameter an...

9.8CVSS9.7AI score0.00469EPSS

CVE•added 2020/04/29 5:15 p.m.•63 views

CVE-2020-12462

The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS.

6.1CVSS6.3AI score0.00264EPSS

CVE•added 2022/07/04 1:15 p.m.•62 views

CVE-2021-25056

The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

4.8CVSS4.7AI score0.00195EPSS

CVE•added 2024/03/29 7:15 a.m.•58 views

CVE-2024-2108

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an image title embedded into a form in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it...

5.4CVSS7.7AI score0.00177EPSS

CVE•added 2024/12/29 6:15 a.m.•56 views

CVE-2024-12238

The The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.22. This is due to the software allowing users to execute an action that does not properly validate a value before running...

6.3CVSS6.5AI score0.00212EPSS

CVE•added 2022/09/26 1:15 p.m.•55 views

CVE-2022-2903

The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

7.2CVSS7AI score0.00295EPSS

CVE•added 2024/04/11 3:15 a.m.•54 views

CVE-2024-25572

Cross-site request forgery (CSRF) vulnerability exists in Ninja Forms prior to 3.4.31. If a website administrator views a malicious page while logging in, unintended operations may be performed.

8.8CVSS6.8AI score0.00191EPSS

CVE•added 2016/05/14 3:59 p.m.•53 views

CVE-2016-1209

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST request.

9.8CVSS9.5AI score0.77252EPSS

CVE•added 2022/06/16 6:15 p.m.•53 views

CVE-2021-36827

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Saturday Drive's Ninja Forms Contact Form plugin

4.8CVSS4.8AI score0.00195EPSS

CVE•added 2015/03/05 4:59 p.m.•52 views

CVE-2015-2220

Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms plugin before 2.8.9 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the ninja_forms_field_1 parameter in a ninja_forms_ajax_submit action to wp-admin/admin-ajax.php or (2) remote administrator...

4.3CVSS5.9AI score0.00198EPSS

CVE•added 2024/03/29 7:15 a.m.•52 views

CVE-2024-2113

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. This is due to missing or incorrect nonce validation on the nf_download_all_subs AJAX action. This makes it possi...

4.3CVSS5.2AI score0.00327EPSS

CVE•added 2024/09/02 8:15 a.m.•52 views

CVE-2024-7354

The Ninja Forms WordPress plugin before 3.8.11 does not escape an URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1CVSS6AI score0.00758EPSS

CVE•added 2024/07/09 1:15 p.m.•51 views

CVE-2024-37934

Improper Control of Generation of Code ('Code Injection') vulnerability in Saturday Drive Ninja Forms allows Code Injection.This issue affects Ninja Forms: from n/a through 3.8.4.

9.8CVSS7.6AI score0.00427EPSS

CVE•added 2022/07/04 1:15 p.m.•50 views

CVE-2021-25066

The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

4.8CVSS4.6AI score0.00267EPSS

CVE•added 2024/08/26 9:15 p.m.•49 views

CVE-2024-39628

Cross-Site Request Forgery (CSRF) vulnerability in Saturday Drive Ninja Forms allows Cross Site Request Forgery.This issue affects Ninja Forms: from n/a through 3.8.6.

8.8CVSS7AI score0.00062EPSS

CVE•added 2024/09/18 12:15 a.m.•49 views

CVE-2024-43999

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saturday Drive Ninja Forms allows Stored XSS.This issue affects Ninja Forms: from n/a through 3.8.11.

5.9CVSS5.7AI score0.00067EPSS

CVE•added 2021/04/05 7:15 p.m.•48 views

CVE-2021-24165

In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.

6.1CVSS6.2AI score0.01173EPSS

CVE•added 2024/12/12 6:15 a.m.•48 views

CVE-2024-11052

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the calculations parameter in all versions up to, and including, 3.8.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthe...

7.2CVSS6.2AI score0.00768EPSS

CVE•added 2021/09/22 6:15 p.m.•47 views

CVE-2021-34648

The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /...

6.4CVSS4.7AI score0.00162EPSS

CVE•added 2024/04/11 3:15 a.m.•46 views

CVE-2024-26019

Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in submit processing. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product.

5.4CVSS6.1AI score0.00361EPSS

CVE•added 2024/11/19 5:15 p.m.•45 views

CVE-2024-50515

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saturday Drive Ninja Forms allows Stored XSS.This issue affects Ninja Forms: from n/a through 3.8.16.

5.9CVSS5.7AI score0.00057EPSS

CVE•added 2024/04/11 3:15 a.m.•44 views

CVE-2024-29220

Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in custom fields for labels. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product.

6.1CVSS6.2AI score0.0031EPSS

CVE•added 2019/08/22 1:15 p.m.•43 views

CVE-2017-18574

The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder.

6.1CVSS6.3AI score0.00209EPSS

CVE•added 2021/04/05 7:15 p.m.•43 views

CVE-2021-24164

In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to establish a connection. They could also retrieve the client_id for an already established OAuth connec...

4.3CVSS4.6AI score0.00168EPSS

CVE•added 2025/01/30 8:15 a.m.•43 views

CVE-2024-13470

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 3.8.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes...

6.4CVSS5.7AI score0.00053EPSS

CVE•added 2024/09/25 7:15 a.m.•43 views

CVE-2024-3866

The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' header in all versions up to, and including, 3.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inje...

6.1CVSS5.5AI score0.00513EPSS

CVE•added 2021/09/22 6:15 p.m.•42 views

CVE-2021-34647

The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via ...

6.5CVSS6.1AI score0.00535EPSS

CVE•added 2021/04/05 7:15 p.m.•41 views

CVE-2021-24166

The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection.

5.8CVSS5.5AI score0.00093EPSS

CVE•added 2019/08/22 1:15 p.m.•39 views

CVE-2018-20981

The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data requests.

9.1CVSS9.2AI score0.00596EPSS

CVE•added 2021/04/05 7:15 p.m.•39 views

CVE-2021-24163

The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop For...

8.8CVSS8.7AI score0.00603EPSS

CVE•added 2023/11/06 9:15 p.m.•39 views

CVE-2023-5530

The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use J...

4.8CVSS4.7AI score0.01481EPSS

CVE•added 2018/09/01 6:29 p.m.•38 views

CVE-2018-16308

The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection.

8.6CVSS8.8AI score0.00411EPSS

CVE•added 2024/11/19 5:15 p.m.•38 views

CVE-2024-50514

5.9CVSS5.7AI score0.00057EPSS

CVE•added 2021/11/29 9:15 a.m.•37 views

CVE-2021-24889

The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks

7.2CVSS7AI score0.00567EPSS

CVE•added 2019/08/22 1:15 p.m.•36 views

CVE-2018-20980

The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering.

7.5CVSS7.6AI score0.00282EPSS

CVE•added 2021/01/06 3:15 p.m.•36 views

CVE-2020-36175

The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field.

5.3CVSS5.6AI score0.00187EPSS

CVE•added 2018/12/03 6:29 a.m.•35 views

CVE-2018-19796

An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions download page) redirect parameter.

6.1CVSS6.3AI score0.00264EPSS

CVE•added 2021/01/06 3:15 p.m.•35 views

CVE-2020-36173

The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields.

5.3CVSS5.3AI score0.00187EPSS

CVE•added 2023/12/07 12:15 p.m.•35 views

CVE-2023-35909

Uncontrolled Resource Consumption vulnerability in Saturday Drive Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress leading to DoS.This issue affects Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress: from n/a through 3.6.25.

5.3CVSS5.3AI score0.00206EPSS

CVE•added 2021/01/06 3:15 p.m.•34 views

CVE-2020-36174

The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration.

6.5CVSS6.5AI score0.0014EPSS

CVE•added 2018/02/21 4:29 p.m.•33 views

CVE-2018-7280

The Ninja Forms plugin before 3.2.14 for WordPress has XSS.

6.1CVSS6.3AI score0.0021EPSS

CVE•added 2015/03/05 4:59 p.m.•32 views

CVE-2014-9688

Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

7.5CVSS6.8AI score0.00311EPSS

CVE•added 2025/05/19 6:15 a.m.•22 views

CVE-2025-2524

The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8CVSS5.4AI score0.00046EPSS

CVE•added 2025/05/19 6:15 a.m.•19 views

CVE-2025-2561

4.8CVSS5.4AI score0.00046EPSS

CVE•added 2025/05/19 6:15 a.m.•16 views

CVE-2025-2560

4.8CVSS5.4AI score0.00046EPSS

Total number of security vulnerabilities51