Lucene search
Rodel PlasabasWPEX-ID:E383FAE6-E0DA-4ABA-BB62-ADF51C01BF8DHistorySep 27, 2021 - 12:00 a.m.
NinjaForms < 3.5.8.2 - Admin+ Stored Cross-Site Scripting
2021-09-2700:00:00
Rodel Plasabas
412
ninjaforms version 3.5.8.2
admin+ stored
cross-site scripting
form builder
dev mode
xss payload
security exploit
EPSS
0.001
Percentile
24.8%
The plugin does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
With the Form Builder "Dev Modeβ setting enabled, create a form and a field, then under the Display option of the field, add the following payload in the Custom Class Names Container field "><img src onerror=alert(/XSS/)>
Save the field and form then view/preview the page with the form embed to trigger the XSS
https://www.youtube.com/watch?v=Ax8QK5gEBUkRelated
prion
prion
Cross site scripting
2021-10-25 14:15:00
wpvulndb
wpvulndb
NinjaForms < 3.5.8.2 - Admin+ Stored Cross-Site Scripting
2021-09-27 00:00:00
cnvd
cnvd
WordPress Ninja Forms Contact Form plugin cross-site scripting vulnerability
2021-10-28 00:00:00
nvd
nvd
CVE-2021-24381
2021-10-25 14:15:09
cvelist
cvelist
CVE-2021-24381 NinjaForms < 3.5.8.2 - Admin+ Stored Cross-Site Scripting
2021-10-25 13:20:32
openvas
openvas
WordPress Ninja Forms Plugin < 3.5.8.2 XSS Vulnerability
2021-11-03 00:00:00
cve
cve
CVE-2021-24381
2021-10-25 14:15:09