CVE-2023-36505 – WordPress Ninja Forms Plugin <= 3.6.24 is vulnerable to Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2023-36505
Improper Input Validation vulnerability in Saturday Drive Ninja Forms Contact Form.This issue affects Ninja Forms Contact Form : from n/a through 3.6.24. Vulnerabilidad de validación de entrada incorrecta en Saturday Drive Ninja Forms Contact Form. Este problema afecta al formulario de contacto de Ninja Forms: desde n/a hasta 3.6.24. The Ninja Forms plugin for WordPress is vulnerable to arbitrary file deletions in versions up to, and including, 3.6.24. This is due to insufficient restriction on the file path that can be supplied during file deletion. • https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-contact-form-the-drag-and-drop-form-builder-for-wordpress-plugin-3-6-24-arbitrary-file-deletion-vulnerability?_s_id=cve • CWE-20: Improper Input Validation CWE-73: External Control of File Name or Path •
CVE-2014-8815 – Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 2.8.6 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-8815
The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘update_message’ parameter in versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •