CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4109 – Ninja Forms < 3.6.26 - Admin+ Stored HTML Injection
https://notcve.org/view.php?id=CVE-2023-4109
The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability. El plugin Ninja Forms para WordPress anterior a la versión 3.6.26 estaba afectado por una vulnerabilidad de seguridad de inyección HTML. The Ninja Forms plugin for WordPress is vulnerable to Stored HTML Injection in versions up to, and including, 3.6.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrator access to inject arbitrary HTML content in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/558e06ab-704b-4bb1-ba7f-b5f6bbbd68d9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24381 – NinjaForms < 3.5.8.2 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24381
The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Ninja Forms Contact Form de WordPress versiones anteriores a 3.5.8.2, no sanea ni escapa del nombre de la clase personalizada del campo form creado, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html está deshabilitada • https://wpscan.com/vulnerability/e383fae6-e0da-4aba-bb62-adf51c01bf8d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •