CVE-2023-38393 – WordPress Ninja Forms plugin <= 3.6.25 - Subscriber+ Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-38393
Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25. Vulnerabilidad de autorización faltante en Saturday Drive Ninja Forms. Este problema afecta a Ninja Forms: desde n/a hasta 3.6.25. The Ninja Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the processing() function in versions up to, and including, 3.6.25. This makes it possible for authenticated attackers, with subscriber-level access and above, to export form submissions via the nf_download_all_subs AJAX action. • https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-subscriber-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2023-38386 – WordPress Ninja Forms plugin <= 3.6.25 - Contributor+ Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-38386
Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25. Vulnerabilidad de autorización faltante en Saturday Drive Ninja Forms. Este problema afecta a Ninja Forms: desde n/a hasta 3.6.25. The Ninja Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_listen() function in versions up to, and including, 3.6.25. This makes it possible for authenticated attackers, with contributor-level access and above, to export form submissions via a properly crafted request. • https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-contributor-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2023-37979 – WordPress Ninja Forms Plugin <= 3.6.25 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-37979
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions. The Ninja Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘data’ parameter in versions up to, and including, 3.6.25 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. WordPress Ninja Forms plugin version 3.6.25 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/51644 https://github.com/d0rb/CVE-2023-37979 https://github.com/Mehran-Seifalinia/CVE-2023-37979 https://github.com/codeb0ss/CVE-2023-37979 http://packetstormsecurity.com/files/173983/WordPress-Ninja-Forms-3.6.25-Cross-Site-Scripting.html https://patchstack.com/articles/multiple-high-severity-vulnerabilities-in-ninja-forms-plugin?_s_id=cve https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-reflected-cross-site-scripting • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-35909 – WordPress Ninja Forms Plugin <= 3.6.25 is vulnerable to Denial of Service Attack
https://notcve.org/view.php?id=CVE-2023-35909
Uncontrolled Resource Consumption vulnerability in Saturday Drive Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress leading to DoS.This issue affects Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress: from n/a through 3.6.25. Vulnerabilidad de consumo de recursos incontrolado en Saturday Drive Ninja Forms Contact Form – The Drag and Drop Form Builder para WordPress que conduce a DoS. Este problema afecta a Ninja Forms Contact Form – The Drag and Drop Form Builder para WordPress: desde n/a hasta 3.6.25. The Ninja Forms plugin for WordPress is vulnerable to denial of service in versions up to, and including, 3.6.25. This is due to insufficient controls on form submissions. • https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-denial-of-service-attack-vulnerability?_s_id=cve • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-36505 – WordPress Ninja Forms Plugin <= 3.6.24 is vulnerable to Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2023-36505
Improper Input Validation vulnerability in Saturday Drive Ninja Forms Contact Form.This issue affects Ninja Forms Contact Form : from n/a through 3.6.24. Vulnerabilidad de validación de entrada incorrecta en Saturday Drive Ninja Forms Contact Form. Este problema afecta al formulario de contacto de Ninja Forms: desde n/a hasta 3.6.24. The Ninja Forms plugin for WordPress is vulnerable to arbitrary file deletions in versions up to, and including, 3.6.24. This is due to insufficient restriction on the file path that can be supplied during file deletion. • https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-contact-form-the-drag-and-drop-form-builder-for-wordpress-plugin-3-6-24-arbitrary-file-deletion-vulnerability?_s_id=cve • CWE-20: Improper Input Validation CWE-73: External Control of File Name or Path •