High severity7.2NVD Advisory· Published Mar 23, 2022· Updated Apr 8, 2026

CVE-2022-0889

Description

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing sanitization of the files filename parameter found in the ~/includes/ajax/controllers/uploads.php file which can be used by unauthenticated attackers to add malicious web scripts to vulnerable WordPress sites, in versions up to and including 3.3.12.

Affected products

Ninjaforms/Ninja Forms File Uploads
cpe:2.3:a:ninjaforms:ninja_forms_file_uploads:*:*:*:*:*:wordpress:*:*
Range: <=3.3.12

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

ninjaforms.com/extensions/file-uploads/nvd
www.wordfence.com/threat-intel/vulnerabilities/id/8c5642fa-d001-47c4-8acd-94ae944e5129nvd

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000