CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Ninjaforms » Ninja Forms » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-36827 79 XSS 2022-06-16 2022-06-27
3.5
None Remote Medium ??? None Partial None
Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Saturday Drive's Ninja Forms Contact Form plugin <= 3.6.9 at WordPress via "label".
2 CVE-2021-34648 863 2021-09-22 2021-09-29
4.0
None Remote Low ??? None Partial None
The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /ninja-forms-submissions/email-action REST API which can be used to socially engineer victims.
3 CVE-2021-34647 863 2021-09-22 2021-09-29
4.0
None Remote Low ??? Partial None None
The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the /ninja-forms-submissions/export REST API which can include personally identifiable information.
4 CVE-2021-25066 79 XSS 2022-07-04 2022-07-12
3.5
None Remote Medium ??? None Partial None
The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
5 CVE-2021-25056 79 XSS 2022-07-04 2022-07-13
3.5
None Remote Medium ??? None Partial None
The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
6 CVE-2021-24889 89 Sql 2021-11-29 2021-11-29
6.5
None Remote Low ??? Partial Partial Partial
The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks
7 CVE-2021-24166 352 2021-04-05 2021-04-09
5.8
None Remote Medium Not required None Partial Partial
The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection.
8 CVE-2021-24165 601 2021-04-05 2021-04-09
5.8
None Remote Medium Not required Partial Partial None
In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.
9 CVE-2021-24164 200 +Info 2021-04-05 2021-04-09
4.0
None Remote Low ??? Partial None None
In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to establish a connection. They could also retrieve the client_id for an already established OAuth connection.
10 CVE-2021-24163 200 +Info 2021-04-05 2021-04-09
6.5
None Remote Low ??? Partial Partial Partial
The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin.
11 CVE-2020-36175 863 Bypass 2021-01-06 2021-07-21
5.0
None Remote Low Not required None Partial None
The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field.
12 CVE-2020-36174 352 CSRF 2021-01-06 2021-01-08
4.3
None Remote Medium Not required None Partial None
The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration.
13 CVE-2020-36173 863 2021-01-06 2021-07-21
5.0
None Remote Low Not required None Partial None
The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields.
14 CVE-2020-12462 352 XSS CSRF 2020-04-29 2020-05-06
4.3
None Remote Medium Not required None Partial None
The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS.
15 CVE-2018-20981 20 2019-08-22 2019-08-26
6.4
None Remote Low Not required Partial Partial None
The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data requests.
16 CVE-2018-20980 20 2019-08-22 2019-08-26
5.0
None Remote Low Not required None Partial None
The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering.
17 CVE-2018-19796 601 2018-12-03 2020-03-03
5.8
None Remote Medium Not required Partial Partial None
An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions download page) redirect parameter.
18 CVE-2018-16308 1236 2018-09-01 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection.
19 CVE-2018-7280 79 XSS 2018-02-21 2018-03-05
4.3
None Remote Medium Not required None Partial None
The Ninja Forms plugin before 3.2.14 for WordPress has XSS.
20 CVE-2017-18574 20 2019-08-22 2019-08-26
4.3
None Remote Medium Not required None Partial None
The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder.
21 CVE-2016-1209 20 2016-05-14 2016-06-23
7.5
None Remote Low Not required Partial Partial Partial
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST request.
22 CVE-2015-2220 79 XSS 2015-03-05 2018-10-09
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms plugin before 2.8.9 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the ninja_forms_field_1 parameter in a ninja_forms_ajax_submit action to wp-admin/admin-ajax.php or (2) remote administrators to inject arbitrary web script or HTML via the fields[1] parameter to wp-admin/post.php.
23 CVE-2014-9688 2015-03-05 2015-03-05
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.
Total number of vulnerabilities : 23   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.