VYPR

Ninja Forms

by WordPress

Source repositories

CVEs (44)

  • CVE-2016-1209CriMay 14, 2016
    risk 0.72cvss 9.8epss 0.62

    The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST request.

  • CVE-2019-15025CriAug 14, 2019
    risk 0.64cvss 9.8epss 0.02

    The ninja-forms plugin before 3.3.21.2 for WordPress has SQL injection in the search filter on the submissions page.

  • CVE-2018-20981CriAug 22, 2019
    risk 0.59cvss 9.1epss 0.02

    The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data requests.

  • CVE-2024-25572HigApr 11, 2024
    risk 0.57cvss 8.8epss 0.00

    Cross-site request forgery (CSRF) vulnerability exists in Ninja Forms prior to 3.4.31. If a website administrator views a malicious page while logging in, unintended operations may be performed.

  • CVE-2018-16308HigSep 1, 2018
    risk 0.56cvss 8.6epss 0.02

    The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection.

  • CVE-2019-10869HigMay 7, 2019
    risk 0.54cvss 8.1epss 0.13

    Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka…

  • CVE-2018-20980HigAug 22, 2019
    risk 0.49cvss 7.5epss 0.01

    The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering.

  • CVE-2024-11052HigDec 12, 2024
    risk 0.47cvss 7.2epss 0.00

    The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the calculations parameter in all versions up to, and including, 3.8.19 due to insufficient input sanitization and output escaping. This makes…

  • CVE-2024-1596HigSep 7, 2024
    risk 0.47cvss 7.2epss 0.00

    The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. RTX file) in all versions up to, and including, 3.3.16 due to insufficient input sanitization and output escaping. This makes it possible for…

  • CVE-2026-2268HigFeb 10, 2026
    risk 0.42cvss 7.5epss 0.00

    The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.0. This is due to the unsafe application of the `ninja_forms_merge_tags` filter to user-supplied input within repeater fields, which allows the…

  • CVE-2025-5398MedJun 27, 2025
    risk 0.42cvss 6.4epss 0.00

    The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of a templating engine in all versions up to, and including, 3.10.2.1 due to insufficient output escaping on user data passed through…

  • CVE-2024-13470MedJan 30, 2025
    risk 0.42cvss 6.4epss 0.00

    The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 3.8.24 due to insufficient input sanitization and output escaping on user supplied…

  • CVE-2021-34648MedSep 22, 2021
    risk 0.42cvss 6.4epss 0.01

    The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the…

  • CVE-2021-34647MedSep 22, 2021
    risk 0.42cvss 6.5epss 0.01

    The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms…

  • CVE-2020-36174MedJan 6, 2021
    risk 0.42cvss 6.5epss 0.01

    The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration.

  • CVE-2024-12238MedDec 29, 2024
    risk 0.41cvss 6.3epss 0.00

    The The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.22. This is due to the software allowing users to execute an action that does not properly validate…

  • CVE-2024-7354MedSep 2, 2024
    risk 0.40cvss 6.1epss 0.01

    The Ninja Forms WordPress plugin before 3.8.11 does not escape an URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

  • CVE-2024-29220MedApr 11, 2024
    risk 0.40cvss 6.1epss 0.00

    Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in custom fields for labels. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product.

  • CVE-2020-12462MedApr 29, 2020
    risk 0.40cvss 6.1epss 0.00

    The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS.

  • CVE-2017-18574MedAug 22, 2019
    risk 0.40cvss 6.1epss 0.01

    The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder.

Page 1 of 3