Vulnerabilities > Ninjaforms
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-03-29 | CVE-2024-2108 | Cross-site Scripting vulnerability in Ninjaforms Ninja Forms The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an image title embedded into a form in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. | 5.4 |
| 2024-03-29 | CVE-2024-2113 | Cross-site Scripting vulnerability in Ninjaforms Ninja Forms The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. | 4.3 |
| 2024-02-02 | CVE-2024-0685 | SQL Injection vulnerability in Ninjaforms Ninja Forms The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Second Order SQL Injection via the email address value submitted through forms in all versions up to, and including, 3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 9.8 |
| 2023-12-07 | CVE-2023-35909 | Unspecified vulnerability in Ninjaforms Ninja Forms Uncontrolled Resource Consumption vulnerability in Saturday Drive Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress leading to DoS.This issue affects Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress: from n/a through 3.6.25. | 5.3 |
| 2023-11-06 | CVE-2023-5530 | Cross-site Scripting vulnerability in Ninjaforms Ninja Forms The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. | 4.8 |
| 2023-08-30 | CVE-2023-4109 | Unspecified vulnerability in Ninjaforms Ninja Forms Contact Form The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability. | 4.8 |
| 2023-07-27 | CVE-2023-37979 | Unspecified vulnerability in Ninjaforms Ninja Forms Unauth. | 6.1 |
| 2023-05-15 | CVE-2023-1835 | Unspecified vulnerability in Ninjaforms Ninja Forms The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 6.1 |
| 2022-09-26 | CVE-2022-2903 | Unspecified vulnerability in Ninjaforms Ninja Forms The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog. | 7.2 |
| 2022-07-04 | CVE-2021-25056 | Cross-site Scripting vulnerability in Ninjaforms Ninja Forms The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 4.8 |