High severity8.8NVD Advisory· Published Apr 5, 2021· Updated Jun 17, 2026
CVE-2021-24163
CVE-2021-24163
Description
The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Ninja Forms/SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPressdescription
- Range: <3.4.34
Patches
Vulnerability mechanics
References
2- wpscan.com/vulnerability/55fde9fa-f6cd-4546-bee8-4acc628251c2nvdExploitThird Party Advisory
- www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/nvdThird Party Advisory
News mentions
0No linked articles in our index yet.