Vulnerabilities > CVE-2021-34648 - Missing Authorization vulnerability in Ninjaforms Ninja Forms

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
LOW
Availability impact
NONE
network
low complexity
ninjaforms
CWE-862
NVD
Published: 2021-09-22
Updated: 2022-10-27

Summary

The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /ninja-forms-submissions/email-action REST API which can be used to socially engineer victims.

Vulnerable Configurations

Part Description Count
Application
Ninjaforms
283

Common Weakness Enumeration (CWE)

References