Lucene search
WpvulndbWPVDB-ID:795ACAB2-F621-4662-834B-EBB6205EF7DEHistoryJun 13, 2022 - 12:00 a.m.
Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting
2022-06-1300:00:00
wpscan.com
17
0.001 Low
EPSS
Percentile
25.0%
The plugin does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PoC
As admin, put the following payload in a field label: The XSS will be triggered when editing the form, as well as in post/page where the form is embed
| CPE | Name | Operator | Version |
|---|---|---|---|
| ninja-forms | lt | 3.6.11 |
Related
cnvd
cnvd
WordPress Ninja Forms Contact Form pluginθ·¨η«θζ¬ζΌζ΄
2022-07-06 00:00:00
prion
prion
Cross site scripting
2022-07-04 13:15:00
wpexploit
wpexploit
Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting
2022-06-13 00:00:00
cve
cve
CVE-2021-25056
2022-07-04 13:15:08
patchstack
patchstack
nvd
nvd
CVE-2021-25056
2022-07-04 13:15:08
cvelist
cvelist
CVE-2021-25056 Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting
2022-07-04 13:05:21
openvas
openvas
WordPress Ninja Forms Contact Form Plugin < 3.6.10 Multiple Vulnerabilities
2022-07-05 00:00:00