6.1

CVE-2021-24165

Exploit

Ninja Forms < 3.4.34 - Administrator Open Redirect

Ninja Forms Contact Form <= 3.4.33 - Administrator Open Redirect

In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.
Mögliche Gegenmaßnahme
Ninja Forms – The Contact Form Builder That Grows With You: Update to version 3.4.34, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NinjaformsNinja Forms SwPlatformwordpress Version < 3.4.34
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Ninja Forms – The Contact Form Builder That Grows With You
Version [*, 3.4.34)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.64% 0.733
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 5.8 8.6 4.9
AV:N/AC:M/Au:N/C:P/I:P/A:N
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/
Third Party Advisory
https://wpscan.com/vulnerability/6147acf5-e43f-47e6-ab56-c9c8be584818
Third Party Advisory
Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/13ba9152-b9a0-4201-ba91-c41686b4d953
Third Party Advisory