Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Ninja_forms
(Ninjaforms)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 36 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-05-15 | CVE-2023-1835 | The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | Ninja_forms | 6.1 | ||
| 2020-02-14 | CVE-2020-8594 | The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format]. | Ninja_forms | 5.4 | ||
| 2021-01-06 | CVE-2020-36173 | The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields. | Ninja_forms | 5.3 | ||
| 2021-01-06 | CVE-2020-36174 | The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration. | Ninja_forms | 6.5 | ||
| 2021-01-06 | CVE-2020-36175 | The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field. | Ninja_forms | 5.3 | ||
| 2021-04-05 | CVE-2021-24163 | The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin. | Ninja_forms | 8.8 | ||
| 2021-04-05 | CVE-2021-24164 | In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to establish a connection. They could also retrieve the client_id for an already established OAuth connection. | Ninja_forms | 4.3 | ||
| 2021-04-05 | CVE-2021-24165 | In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place. | Ninja_forms | 6.1 | ||
| 2021-04-05 | CVE-2021-24166 | The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection. | Ninja_forms | 5.4 | ||
| 2021-09-22 | CVE-2021-34647 | The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the /ninja-forms-submissions/export REST API which can include personally identifiable information. | Ninja_forms | N/A |