Vulnerabilities > Ninjaforms > Ninja Forms

DATE CVE VULNERABILITY TITLE RISK
2021-04-05 CVE-2021-24164 Missing Authorization vulnerability in Ninjaforms Ninja Forms
In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to establish a connection.
network
low complexity
ninjaforms CWE-862
4.0
4.0
2021-04-05 CVE-2021-24163 Missing Authorization vulnerability in Ninjaforms Ninja Forms
The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin.
network
low complexity
ninjaforms CWE-862
8.8
8.8
2021-01-06 CVE-2020-36175 Incorrect Authorization vulnerability in Ninjaforms Ninja Forms
The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field.
network
low complexity
ninjaforms CWE-863
5.0
5.0
2021-01-06 CVE-2020-36174 Cross-Site Request Forgery (CSRF) vulnerability in Ninjaforms Ninja Forms
The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration. 		4.3
4.3
2021-01-06 CVE-2020-36173 Incorrect Authorization vulnerability in Ninjaforms Ninja Forms
The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields.
network
low complexity
ninjaforms CWE-863
5.0
5.0
2020-04-29 CVE-2020-12462 Cross-Site Request Forgery (CSRF) vulnerability in Ninjaforms Ninja Forms
The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS. 		4.3
4.3
2020-02-14 CVE-2020-8594 Cross-site Scripting vulnerability in Ninjaforms Ninja Forms 3.4.22
The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format].
network
ninjaforms CWE-79
3.5
3.5
2019-08-22 CVE-2018-20981 Improper Input Validation vulnerability in Ninjaforms Ninja Forms
The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data requests.
network
low complexity
ninjaforms CWE-20
6.4
6.4
2019-08-22 CVE-2018-20980 Improper Input Validation vulnerability in Ninjaforms Ninja Forms
The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering.
network
low complexity
ninjaforms CWE-20
5.0
5.0
2019-08-22 CVE-2017-18574 Improper Input Validation vulnerability in Ninjaforms Ninja Forms
The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder.
network
ninjaforms CWE-20
4.3
4.3