Ninja Forms
by WordPress
Source repositories
CVEs (44)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-1209 | Cri | 0.72 | 9.8 | 0.62 | May 14, 2016 | The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST request. | ||
| CVE-2019-15025 | Cri | 0.64 | 9.8 | 0.02 | Aug 14, 2019 | The ninja-forms plugin before 3.3.21.2 for WordPress has SQL injection in the search filter on the submissions page. | ||
| CVE-2018-20981 | Cri | 0.59 | 9.1 | 0.02 | Aug 22, 2019 | The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data requests. | ||
| CVE-2024-25572 | Hig | 0.57 | 8.8 | 0.00 | Apr 11, 2024 | Cross-site request forgery (CSRF) vulnerability exists in Ninja Forms prior to 3.4.31. If a website administrator views a malicious page while logging in, unintended operations may be performed. | ||
| CVE-2018-16308 | Hig | 0.56 | 8.6 | 0.02 | Sep 1, 2018 | The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection. | ||
| CVE-2019-10869 | Hig | 0.54 | 8.1 | 0.13 | May 7, 2019 | Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka… | ||
| CVE-2018-20980 | Hig | 0.49 | 7.5 | 0.01 | Aug 22, 2019 | The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering. | ||
| CVE-2024-11052 | Hig | 0.47 | 7.2 | 0.00 | Dec 12, 2024 | The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the calculations parameter in all versions up to, and including, 3.8.19 due to insufficient input sanitization and output escaping. This makes… | ||
| CVE-2024-1596 | Hig | 0.47 | 7.2 | 0.00 | Sep 7, 2024 | The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. RTX file) in all versions up to, and including, 3.3.16 due to insufficient input sanitization and output escaping. This makes it possible for… | ||
| CVE-2026-2268 | Hig | 0.42 | 7.5 | 0.00 | Feb 10, 2026 | The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.0. This is due to the unsafe application of the `ninja_forms_merge_tags` filter to user-supplied input within repeater fields, which allows the… | ||
| CVE-2025-5398 | Med | 0.42 | 6.4 | 0.00 | Jun 27, 2025 | The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of a templating engine in all versions up to, and including, 3.10.2.1 due to insufficient output escaping on user data passed through… | ||
| CVE-2024-13470 | Med | 0.42 | 6.4 | 0.00 | Jan 30, 2025 | The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 3.8.24 due to insufficient input sanitization and output escaping on user supplied… | ||
| CVE-2021-34648 | Med | 0.42 | 6.4 | 0.01 | Sep 22, 2021 | The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the… | ||
| CVE-2021-34647 | Med | 0.42 | 6.5 | 0.01 | Sep 22, 2021 | The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms… | ||
| CVE-2020-36174 | Med | 0.42 | 6.5 | 0.01 | Jan 6, 2021 | The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration. | ||
| CVE-2024-12238 | Med | 0.41 | 6.3 | 0.00 | Dec 29, 2024 | The The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.22. This is due to the software allowing users to execute an action that does not properly validate… | ||
| CVE-2024-7354 | Med | 0.40 | 6.1 | 0.01 | Sep 2, 2024 | The Ninja Forms WordPress plugin before 3.8.11 does not escape an URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||
| CVE-2024-29220 | Med | 0.40 | 6.1 | 0.00 | Apr 11, 2024 | Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in custom fields for labels. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product. | ||
| CVE-2020-12462 | Med | 0.40 | 6.1 | 0.00 | Apr 29, 2020 | The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS. | ||
| CVE-2017-18574 | Med | 0.40 | 6.1 | 0.01 | Aug 22, 2019 | The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder. |
- risk 0.72cvss 9.8epss 0.62
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST request.
- risk 0.64cvss 9.8epss 0.02
The ninja-forms plugin before 3.3.21.2 for WordPress has SQL injection in the search filter on the submissions page.
- risk 0.59cvss 9.1epss 0.02
The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data requests.
- risk 0.57cvss 8.8epss 0.00
Cross-site request forgery (CSRF) vulnerability exists in Ninja Forms prior to 3.4.31. If a website administrator views a malicious page while logging in, unintended operations may be performed.
- risk 0.56cvss 8.6epss 0.02
The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection.
- risk 0.54cvss 8.1epss 0.13
Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka…
- risk 0.49cvss 7.5epss 0.01
The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering.
- risk 0.47cvss 7.2epss 0.00
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the calculations parameter in all versions up to, and including, 3.8.19 due to insufficient input sanitization and output escaping. This makes…
- risk 0.47cvss 7.2epss 0.00
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. RTX file) in all versions up to, and including, 3.3.16 due to insufficient input sanitization and output escaping. This makes it possible for…
- risk 0.42cvss 7.5epss 0.00
The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.0. This is due to the unsafe application of the `ninja_forms_merge_tags` filter to user-supplied input within repeater fields, which allows the…
- risk 0.42cvss 6.4epss 0.00
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of a templating engine in all versions up to, and including, 3.10.2.1 due to insufficient output escaping on user data passed through…
- risk 0.42cvss 6.4epss 0.00
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 3.8.24 due to insufficient input sanitization and output escaping on user supplied…
- risk 0.42cvss 6.4epss 0.01
The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the…
- risk 0.42cvss 6.5epss 0.01
The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms…
- risk 0.42cvss 6.5epss 0.01
The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration.
- risk 0.41cvss 6.3epss 0.00
The The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.22. This is due to the software allowing users to execute an action that does not properly validate…
- risk 0.40cvss 6.1epss 0.01
The Ninja Forms WordPress plugin before 3.8.11 does not escape an URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
- risk 0.40cvss 6.1epss 0.00
Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in custom fields for labels. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product.
- risk 0.40cvss 6.1epss 0.00
The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS.
- risk 0.40cvss 6.1epss 0.01
The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder.
Page 1 of 3