Ninjaforms: >> Ninja Forms >> 2.2.40 Security Vulnerabilities
In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.
CVSS Score
6.1
EPSS Score
0.012
Published
2021-04-05
The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection.
CVSS Score
5.4
EPSS Score
0.001
Published
2021-04-05
The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-01-06
The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration.
CVSS Score
6.5
EPSS Score
0.001
Published
2021-01-06
The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-01-06
The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-04-29
The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-08-22
The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-08-22
The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data requests.
CVSS Score
9.1
EPSS Score
0.006
Published
2019-08-22
An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions download page) redirect parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-12-03