NotCVE - vendor:"Ninja Forms" product:"Ninja Forms" version:" >= 0.0.0 <= 3.8.4"

Page 3 of 41 results (0.008 seconds)

CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 4

CVE-2023-37979 – WordPress Ninja Forms Plugin <= 3.6.25 is vulnerable to Cross Site Scripting (XSS)

https://notcve.org/view.php?id=CVE-2023-37979

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions. The Ninja Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘data’ parameter in versions up to, and including, 3.6.25 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. WordPress Ninja Forms plugin version 3.6.25 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/51644 https://github.com/d0rb/CVE-2023-37979 https://github.com/Mehran-Seifalinia/CVE-2023-37979 https://github.com/codeb0ss/CVE-2023-37979 http://packetstormsecurity.com/files/173983/WordPress-Ninja-Forms-3.6.25-Cross-Site-Scripting.html https://patchstack.com/articles/multiple-high-severity-vulnerabilities-in-ninja-forms-plugin?_s_id=cve https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-reflected-cross-site-scripting • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-35909 – WordPress Ninja Forms Plugin <= 3.6.25 is vulnerable to Denial of Service Attack

https://notcve.org/view.php?id=CVE-2023-35909

Uncontrolled Resource Consumption vulnerability in Saturday Drive Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress leading to DoS.This issue affects Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress: from n/a through 3.6.25. Vulnerabilidad de consumo de recursos incontrolado en Saturday Drive Ninja Forms Contact Form – The Drag and Drop Form Builder para WordPress que conduce a DoS. Este problema afecta a Ninja Forms Contact Form – The Drag and Drop Form Builder para WordPress: desde n/a hasta 3.6.25. The Ninja Forms plugin for WordPress is vulnerable to denial of service in versions up to, and including, 3.6.25. This is due to insufficient controls on form submissions. • https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-denial-of-service-attack-vulnerability?_s_id=cve • CWE-400: Uncontrolled Resource Consumption •

CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-36505 – WordPress Ninja Forms Plugin <= 3.6.24 is vulnerable to Arbitrary File Deletion

https://notcve.org/view.php?id=CVE-2023-36505

Improper Input Validation vulnerability in Saturday Drive Ninja Forms Contact Form.This issue affects Ninja Forms Contact Form : from n/a through 3.6.24. Vulnerabilidad de validación de entrada incorrecta en Saturday Drive Ninja Forms Contact Form. Este problema afecta al formulario de contacto de Ninja Forms: desde n/a hasta 3.6.24. The Ninja Forms plugin for WordPress is vulnerable to arbitrary file deletions in versions up to, and including, 3.6.24. This is due to insufficient restriction on the file path that can be supplied during file deletion. • https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-contact-form-the-drag-and-drop-form-builder-for-wordpress-plugin-3-6-24-arbitrary-file-deletion-vulnerability?_s_id=cve • CWE-20: Improper Input Validation CWE-73: External Control of File Name or Path •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

CVE-2023-1835 – Ninja Forms < 3.6.22 - Reflected XSS

https://notcve.org/view.php?id=CVE-2023-1835

The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'title' parameter in versions up to, and including, 3.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/b5fc223c-5ec0-44b2-b2f6-b35f9942d341 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1

CVE-2022-2903 – NinjaForms < 3.6.13 - Admin+ PHP Objection Injection

https://notcve.org/view.php?id=CVE-2022-2903

The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog. El plugin Ninja Forms Contact Form de WordPress versiones anteriores a 3.6.13, no serializa el contenido de un archivo importado, lo que podría conllevar a problemas de inyecciones de objetos PHP cuando un administrador importa (intencionadamente o no) un archivo malicioso y una cadena de gadgets apropiada está presente en el blog. The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.6.12 via deserialization of untrusted input. This allows administrator-level attackers to inject a PHP Object. No POP chain is present in the vulnerable NinjaForms. • https://wpscan.com/vulnerability/255b98ba-5da9-4424-a7e9-c438d8905864 • CWE-502: Deserialization of Untrusted Data •

1 2 3 4 5