Ninjaforms

Ninja Forms

57 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2023-37979

  • EPSS 23.99%
  • Veröffentlicht 27.07.2023 15:15:11
  • Zuletzt bearbeitet 21.11.2024 08:12:37

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions.

6.1

CVE-2023-1835

Exploit
  • EPSS 18.09%
  • Veröffentlicht 15.05.2023 13:15:10
  • Zuletzt bearbeitet 14.01.2025 19:15:28

The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

7.2

CVE-2022-2903

Exploit
  • EPSS 0.78%
  • Veröffentlicht 26.09.2022 13:15:10
  • Zuletzt bearbeitet 21.05.2025 20:15:28

The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is pre...

4.8

CVE-2021-25066

Exploit
  • EPSS 0.21%
  • Veröffentlicht 04.07.2022 13:15:08
  • Zuletzt bearbeitet 21.11.2024 05:54:17

The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

4.8

CVE-2021-25056

Exploit
  • EPSS 0.21%
  • Veröffentlicht 04.07.2022 13:15:08
  • Zuletzt bearbeitet 21.11.2024 05:54:16

The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

4.8

CVE-2021-36827

  • EPSS 0.21%
  • Veröffentlicht 16.06.2022 18:15:09
  • Zuletzt bearbeitet 21.11.2024 06:14:09

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Saturday Drive's Ninja Forms Contact Form plugin <= 3.6.9 at WordPress via "label".

7.2

CVE-2021-24889

Exploit
  • EPSS 0.57%
  • Veröffentlicht 29.11.2021 09:15:07
  • Zuletzt bearbeitet 21.11.2024 05:53:57

The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks

4.3

CVE-2021-34648

Exploit
  • EPSS 0.22%
  • Veröffentlicht 22.09.2021 18:15:11
  • Zuletzt bearbeitet 21.11.2024 06:10:53

The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send ar...

4

CVE-2021-34647

Exploit
  • EPSS 0.72%
  • Veröffentlicht 22.09.2021 18:15:11
  • Zuletzt bearbeitet 21.11.2024 06:10:53

The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attacker...

8.8

CVE-2021-24163

Exploit
  • EPSS 0.6%
  • Veröffentlicht 05.04.2021 19:15:15
  • Zuletzt bearbeitet 21.11.2024 05:52:30

The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP...