Total
48 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-38393 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | N/A | 7.6 HIGH |
| Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25. | |||||
| CVE-2023-37979 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | N/A | 7.1 HIGH |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions. | |||||
| CVE-2023-35909 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | N/A | 5.3 MEDIUM |
| Uncontrolled Resource Consumption vulnerability in Saturday Drive Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress leading to DoS.This issue affects Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress: from n/a through 3.6.25. | |||||
| CVE-2021-36827 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Saturday Drive's Ninja Forms Contact Form plugin <= 3.6.9 at WordPress via "label". | |||||
| CVE-2021-34648 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 4.0 MEDIUM | 6.4 MEDIUM |
| The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /ninja-forms-submissions/email-action REST API which can be used to socially engineer victims. | |||||
| CVE-2021-34647 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the /ninja-forms-submissions/export REST API which can include personally identifiable information. | |||||
| CVE-2021-25066 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-25056 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24889 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks | |||||
| CVE-2021-24166 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection. | |||||
| CVE-2021-24165 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place. | |||||
| CVE-2021-24164 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to establish a connection. They could also retrieve the client_id for an already established OAuth connection. | |||||
| CVE-2021-24163 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin. | |||||
| CVE-2020-8594 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format]. | |||||
| CVE-2020-36175 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field. | |||||
| CVE-2020-36174 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration. | |||||
| CVE-2020-36173 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields. | |||||
| CVE-2020-12462 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS. | |||||
| CVE-2018-7280 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Ninja Forms plugin before 3.2.14 for WordPress has XSS. | |||||
| CVE-2018-20981 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data requests. | |||||