Ninja Forms
by WordPress
Source repositories
CVEs (46)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-14072 | 0.00 | — | 0.00 | Jan 2, 2026 | The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions. | |||
| CVE-2025-11924 | 0.00 | — | 0.00 | Dec 17, 2025 | The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the… | |||
| CVE-2025-10498 | 0.00 | — | 0.00 | Sep 27, 2025 | The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation when exporting CSV files. This makes it possible for… | |||
| CVE-2025-9083 | 0.00 | — | 0.01 | Sep 18, 2025 | The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog. | |||
| CVE-2015-2220 | 0.00 | — | 0.02 | Mar 5, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms plugin before 2.8.9 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the ninja_forms_field_1 parameter in a ninja_forms_ajax_submit action to wp-admin/admin-ajax.php or (2)… | |||
| CVE-2014-9688 | 0.00 | — | 0.02 | Mar 5, 2015 | Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users. |
- CVE-2025-14072Jan 2, 2026risk 0.00cvss —epss 0.00
The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions.
- CVE-2025-11924Dec 17, 2025risk 0.00cvss —epss 0.00
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the…
- CVE-2025-10498Sep 27, 2025risk 0.00cvss —epss 0.00
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation when exporting CSV files. This makes it possible for…
- CVE-2025-9083Sep 18, 2025risk 0.00cvss —epss 0.01
The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
- CVE-2015-2220Mar 5, 2015risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms plugin before 2.8.9 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the ninja_forms_field_1 parameter in a ninja_forms_ajax_submit action to wp-admin/admin-ajax.php or (2)…
- CVE-2014-9688Mar 5, 2015risk 0.00cvss —epss 0.02
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.
Page 3 of 3