Ninja Forms
by WordPress
Source repositories
CVEs (46)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-12462 | Med | 0.40 | 6.1 | 0.00 | Apr 29, 2020 | The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS. | ||
| CVE-2017-18574 | Med | 0.40 | 6.1 | 0.01 | Aug 22, 2019 | The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder. | ||
| CVE-2018-7280 | Med | 0.40 | 6.1 | 0.01 | Feb 21, 2018 | The Ninja Forms plugin before 3.2.14 for WordPress has XSS. | ||
| CVE-2024-50515 | Med | 0.38 | 5.9 | 0.00 | Nov 19, 2024 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kevin Stover Ninja Forms ninja-forms allows Stored XSS.This issue affects Ninja Forms: from n/a through <= 3.8.16. | ||
| CVE-2024-50514 | Med | 0.38 | 5.9 | 0.00 | Nov 19, 2024 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kevin Stover Ninja Forms ninja-forms allows Stored XSS.This issue affects Ninja Forms: from n/a through <= 3.8.16. | ||
| CVE-2024-43999 | Med | 0.38 | 5.9 | 0.00 | Sep 18, 2024 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saturday Drive Ninja Forms allows Stored XSS.This issue affects Ninja Forms: from n/a through 3.8.11. | ||
| CVE-2018-19287 | Med | 0.36 | 6.1 | 0.09 | Nov 15, 2018 | XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter. | ||
| CVE-2026-1307 | Med | 0.35 | 6.5 | 0.00 | Mar 28, 2026 | The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.1 via a callback function for the admin_enqueue_scripts action handler in blocks/bootstrap.php. This… | ||
| CVE-2024-39628 | Med | 0.35 | 5.4 | 0.00 | Aug 26, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in Saturday Drive Ninja Forms allows Cross Site Request Forgery.This issue affects Ninja Forms: from n/a through 3.8.6. | ||
| CVE-2024-37934 | Med | 0.35 | 5.4 | 0.00 | Jul 9, 2024 | Improper Control of Generation of Code ('Code Injection') vulnerability in Saturday Drive Ninja Forms allows Code Injection.This issue affects Ninja Forms: from n/a through 3.8.4. | ||
| CVE-2024-26019 | Med | 0.35 | 5.4 | 0.01 | Apr 11, 2024 | Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in submit processing. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product. | ||
| CVE-2020-36175 | Med | 0.35 | 5.3 | 0.01 | Jan 6, 2021 | The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field. | ||
| CVE-2020-36173 | Med | 0.35 | 5.3 | 0.01 | Jan 6, 2021 | The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields. | ||
| CVE-2020-8594 | Med | 0.35 | 5.4 | 0.01 | Feb 14, 2020 | The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format]. | ||
| CVE-2018-19796 | Med | 0.33 | 6.1 | 0.02 | Dec 3, 2018 | An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions download page) redirect parameter. | ||
| CVE-2025-2561 | Med | 0.31 | 4.8 | 0.00 | May 19, 2025 | The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite… | ||
| CVE-2025-2560 | Med | 0.31 | 4.8 | 0.00 | May 19, 2025 | The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite… | ||
| CVE-2025-2524 | Med | 0.31 | 4.8 | 0.00 | May 19, 2025 | The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite… | ||
| CVE-2024-3866 | Med | 0.24 | 4.7 | 0.00 | Sep 25, 2024 | The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' header in all versions up to, and including, 3.8.15 due to insufficient input sanitization and output escaping. This makes it possible for… | ||
| CVE-2024-2113 | Med | 0.21 | 4.3 | 0.00 | Mar 29, 2024 | The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. This is due to missing or incorrect nonce validation on the nf_download_all_subs AJAX… |
- risk 0.40cvss 6.1epss 0.00
The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS.
- risk 0.40cvss 6.1epss 0.01
The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder.
- risk 0.40cvss 6.1epss 0.01
The Ninja Forms plugin before 3.2.14 for WordPress has XSS.
- risk 0.38cvss 5.9epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kevin Stover Ninja Forms ninja-forms allows Stored XSS.This issue affects Ninja Forms: from n/a through <= 3.8.16.
- risk 0.38cvss 5.9epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kevin Stover Ninja Forms ninja-forms allows Stored XSS.This issue affects Ninja Forms: from n/a through <= 3.8.16.
- risk 0.38cvss 5.9epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saturday Drive Ninja Forms allows Stored XSS.This issue affects Ninja Forms: from n/a through 3.8.11.
- risk 0.36cvss 6.1epss 0.09
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter.
- risk 0.35cvss 6.5epss 0.00
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.1 via a callback function for the admin_enqueue_scripts action handler in blocks/bootstrap.php. This…
- risk 0.35cvss 5.4epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Saturday Drive Ninja Forms allows Cross Site Request Forgery.This issue affects Ninja Forms: from n/a through 3.8.6.
- risk 0.35cvss 5.4epss 0.00
Improper Control of Generation of Code ('Code Injection') vulnerability in Saturday Drive Ninja Forms allows Code Injection.This issue affects Ninja Forms: from n/a through 3.8.4.
- risk 0.35cvss 5.4epss 0.01
Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in submit processing. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product.
- risk 0.35cvss 5.3epss 0.01
The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field.
- risk 0.35cvss 5.3epss 0.01
The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields.
- risk 0.35cvss 5.4epss 0.01
The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format].
- risk 0.33cvss 6.1epss 0.02
An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions download page) redirect parameter.
- risk 0.31cvss 4.8epss 0.00
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite…
- risk 0.31cvss 4.8epss 0.00
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite…
- risk 0.31cvss 4.8epss 0.00
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite…
- risk 0.24cvss 4.7epss 0.00
The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' header in all versions up to, and including, 3.8.15 due to insufficient input sanitization and output escaping. This makes it possible for…
- risk 0.21cvss 4.3epss 0.00
The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. This is due to missing or incorrect nonce validation on the nf_download_all_subs AJAX…
Page 2 of 3