Vulnerabilities > CVE-2021-24164 - Missing Authorization vulnerability in Ninjaforms Ninja Forms
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to establish a connection. They could also retrieve the client_id for an already established OAuth connection.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://wpscan.com/vulnerability/dfa32afa-c6de-4237-a9f2-709843dcda89
- https://wpscan.com/vulnerability/dfa32afa-c6de-4237-a9f2-709843dcda89
- https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/
- https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/