CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2015-2220 – Ninja Forms Contact Form <= 2.8.8 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-2220
Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms plugin before 2.8.9 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the ninja_forms_field_1 parameter in a ninja_forms_ajax_submit action to wp-admin/admin-ajax.php or (2) remote administrators to inject arbitrary web script or HTML via the fields[1] parameter to wp-admin/post.php. Múltiples vulnerabilidades de XSS en el plugin Ninja Forms anterior a 2.8.9 para WordPress permiten a (1) atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro ninja_forms_field_1 en una acción ninja_forms_ajax_submit en wp-admin/admin-ajax.php o (2) administradores remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro fields[1] en wp-admin/post.php. • http://packetstormsecurity.com/files/130369/WordPress-Ninja-Forms-2.8.8-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/534687/100/0/threaded http://www.securityfocus.com/bid/74857 https://wordpress.org/plugins/ninja-forms/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8815 – Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 2.8.6 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-8815
The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘update_message’ parameter in versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •