Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Ninja_forms
(Ninjaforms)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 45 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-03-29 | CVE-2024-2108 | The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an image title embedded into a form in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | Ninja_forms | 5.4 | ||
| 2024-03-29 | CVE-2024-2113 | The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. This is due to missing or incorrect nonce validation on the nf_download_all_subs AJAX action. This makes it possible for unauthenticated attackers to trigger an export of a form's submission to a publicly accessible location via a forged request granted they can trick a site administrator into performing an... | Ninja_forms | 4.3 | ||
| 2024-11-19 | CVE-2024-50514 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saturday Drive Ninja Forms allows Stored XSS.This issue affects Ninja Forms: from n/a through 3.8.16. | Ninja_forms | 4.8 | ||
| 2024-11-19 | CVE-2024-50515 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saturday Drive Ninja Forms allows Stored XSS.This issue affects Ninja Forms: from n/a through 3.8.16. | Ninja_forms | 4.8 | ||
| 2023-05-15 | CVE-2023-1835 | The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | Ninja_forms | 6.1 | ||
| 2020-02-14 | CVE-2020-8594 | The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format]. | Ninja_forms | 5.4 | ||
| 2021-01-06 | CVE-2020-36173 | The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields. | Ninja_forms | 5.3 | ||
| 2021-01-06 | CVE-2020-36174 | The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration. | Ninja_forms | 6.5 | ||
| 2021-01-06 | CVE-2020-36175 | The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field. | Ninja_forms | 5.3 | ||
| 2021-04-05 | CVE-2021-24163 | The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin. | Ninja_forms | 8.8 |