Vulnerabilities > Ninjaforms

DATE CVE VULNERABILITY TITLE RISK
2023-08-30 CVE-2023-4109 Unspecified vulnerability in Ninjaforms Ninja Forms Contact Form
The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability.
network
low complexity
ninjaforms
4.8
2023-07-27 CVE-2023-37979 Cross-site Scripting vulnerability in Ninjaforms Ninja Forms
Unauth.
network
low complexity
ninjaforms CWE-79
6.1
2023-05-15 CVE-2023-1835 Unspecified vulnerability in Ninjaforms Ninja Forms
The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
network
low complexity
ninjaforms
6.1
2022-09-26 CVE-2022-2903 Deserialization of Untrusted Data vulnerability in Ninjaforms Ninja Forms
The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
network
low complexity
ninjaforms CWE-502
7.2
2022-07-04 CVE-2021-25056 Cross-site Scripting vulnerability in Ninjaforms Ninja Forms
The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
network
low complexity
ninjaforms CWE-79
4.8
2022-07-04 CVE-2021-25066 Cross-site Scripting vulnerability in Ninjaforms Ninja Forms
The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
network
low complexity
ninjaforms CWE-79
4.8
2022-06-16 CVE-2021-36827 Cross-site Scripting vulnerability in Ninjaforms Ninja Forms
Auth.
network
low complexity
ninjaforms CWE-79
4.8
2022-03-23 CVE-2022-0888 Unrestricted Upload of File with Dangerous Type vulnerability in Ninjaforms Ninja Forms File Uploads
The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0
network
low complexity
ninjaforms CWE-434
critical
9.8
2022-03-23 CVE-2022-0889 Cross-site Scripting vulnerability in Ninjaforms Ninja Forms File Uploads
The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing sanitization of the files filename parameter found in the ~/includes/ajax/controllers/uploads.php file which can be used by unauthenticated attackers to add malicious web scripts to vulnerable WordPress sites, in versions up to and including 3.3.12.
network
low complexity
ninjaforms CWE-79
6.1
2021-11-29 CVE-2021-24889 SQL Injection vulnerability in Ninjaforms Ninja Forms
The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks
network
low complexity
ninjaforms CWE-89
7.2