VYPR

Ninja Forms

by WordPress

Source repositories

CVEs (46)

  • CVE-2020-12462MedApr 29, 2020
    risk 0.40cvss 6.1epss 0.00

    The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS.

  • CVE-2017-18574MedAug 22, 2019
    risk 0.40cvss 6.1epss 0.01

    The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder.

  • CVE-2018-7280MedFeb 21, 2018
    risk 0.40cvss 6.1epss 0.01

    The Ninja Forms plugin before 3.2.14 for WordPress has XSS.

  • CVE-2024-50515MedNov 19, 2024
    risk 0.38cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kevin Stover Ninja Forms ninja-forms allows Stored XSS.This issue affects Ninja Forms: from n/a through <= 3.8.16.

  • CVE-2024-50514MedNov 19, 2024
    risk 0.38cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kevin Stover Ninja Forms ninja-forms allows Stored XSS.This issue affects Ninja Forms: from n/a through <= 3.8.16.

  • CVE-2024-43999MedSep 18, 2024
    risk 0.38cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saturday Drive Ninja Forms allows Stored XSS.This issue affects Ninja Forms: from n/a through 3.8.11.

  • CVE-2018-19287MedNov 15, 2018
    risk 0.36cvss 6.1epss 0.09

    XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter.

  • CVE-2026-1307MedMar 28, 2026
    risk 0.35cvss 6.5epss 0.00

    The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.1 via a callback function for the admin_enqueue_scripts action handler in blocks/bootstrap.php. This…

  • CVE-2024-39628MedAug 26, 2024
    risk 0.35cvss 5.4epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Saturday Drive Ninja Forms allows Cross Site Request Forgery.This issue affects Ninja Forms: from n/a through 3.8.6.

  • CVE-2024-37934MedJul 9, 2024
    risk 0.35cvss 5.4epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Saturday Drive Ninja Forms allows Code Injection.This issue affects Ninja Forms: from n/a through 3.8.4.

  • CVE-2024-26019MedApr 11, 2024
    risk 0.35cvss 5.4epss 0.01

    Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in submit processing. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product.

  • CVE-2020-36175MedJan 6, 2021
    risk 0.35cvss 5.3epss 0.01

    The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field.

  • CVE-2020-36173MedJan 6, 2021
    risk 0.35cvss 5.3epss 0.01

    The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields.

  • CVE-2020-8594MedFeb 14, 2020
    risk 0.35cvss 5.4epss 0.01

    The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format].

  • CVE-2018-19796MedDec 3, 2018
    risk 0.33cvss 6.1epss 0.02

    An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions download page) redirect parameter.

  • CVE-2025-2561MedMay 19, 2025
    risk 0.31cvss 4.8epss 0.00

    The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite…

  • CVE-2025-2560MedMay 19, 2025
    risk 0.31cvss 4.8epss 0.00

    The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite…

  • CVE-2025-2524MedMay 19, 2025
    risk 0.31cvss 4.8epss 0.00

    The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite…

  • CVE-2024-3866MedSep 25, 2024
    risk 0.24cvss 4.7epss 0.00

    The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' header in all versions up to, and including, 3.8.15 due to insufficient input sanitization and output escaping. This makes it possible for…

  • CVE-2024-2113MedMar 29, 2024
    risk 0.21cvss 4.3epss 0.00

    The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. This is due to missing or incorrect nonce validation on the nf_download_all_subs AJAX…