Ninja Forms Vulnerable to Stored Cross-Site Scripting
CVE-2024-11052

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Ninja Forms – The Contact Form Builder That Grows With You
Vendor: CVE Published:; 12 December 2024

Summary

The Ninja Forms plugin for WordPress is prone to a Stored Cross-Site Scripting vulnerability that arises from inadequate input sanitization and output escaping in the calculations parameter. This security flaw impacts all versions up to and including 3.8.19, allowing unauthenticated attackers to inject malicious web scripts. When users access pages that include the injected content, these scripts could execute, leading to potential unauthorized actions and data exposure. Website administrators should ensure they are using patched versions of the plugin and take proactive measures to secure their WordPress installations.

Affected Version(s)

Ninja Forms – The Contact Form Builder That Grows With You * <= 3.8.19

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ninja-forms/ta...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 12, 2024
Vulnerability Reserved
Nov 9, 2024

Credit

Michael Mazzolini