Vulnerabilities > Ninjaforms > Ninja Forms
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-05 | CVE-2021-24163 | Missing Authorization vulnerability in Ninjaforms Ninja Forms The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin. | 8.8 |
| 2021-01-06 | CVE-2020-36175 | Improper Input Validation vulnerability in Ninjaforms Ninja Forms The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field. | 5.3 |
| 2021-01-06 | CVE-2020-36174 | Cross-Site Request Forgery (CSRF) vulnerability in Ninjaforms Ninja Forms The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration. | 6.5 |
| 2021-01-06 | CVE-2020-36173 | Improper Encoding or Escaping of Output vulnerability in Ninjaforms Ninja Forms The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields. | 5.3 |
| 2020-04-29 | CVE-2020-12462 | Cross-Site Request Forgery (CSRF) vulnerability in Ninjaforms Ninja Forms The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS. | 6.1 |
| 2020-02-14 | CVE-2020-8594 | Cross-site Scripting vulnerability in Ninjaforms Ninja Forms 3.4.22 The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format]. | 5.4 |
| 2019-08-22 | CVE-2018-20981 | Improper Input Validation vulnerability in Ninjaforms Ninja Forms The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data requests. | 9.1 |
| 2019-08-22 | CVE-2018-20980 | Improper Input Validation vulnerability in Ninjaforms Ninja Forms The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering. | 7.5 |
| 2019-08-22 | CVE-2017-18574 | Improper Input Validation vulnerability in Ninjaforms Ninja Forms The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder. | 6.1 |
| 2018-12-03 | CVE-2018-19796 | Open Redirect vulnerability in Ninjaforms Ninja Forms An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions download page) redirect parameter. | 6.1 |