Arbitrary Shortcode Execution Vulnerability in Ninja Forms Plugin for WordPress
CVE-2024-12238

6.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Ninja Forms – The Contact Form Builder That Grows With You
Vendor: CVE Published:; 29 December 2024

What is CVE-2024-12238?

The Ninja Forms plugin for WordPress presents a vulnerability that permits arbitrary shortcode execution across all versions up to 3.8.22. The flaw arises from inadequate input validation, enabling authenticated users, including those with Subscriber-level access, to execute unverified shortcodes. This loophole in the plugin can potentially be exploited to perform unauthorized actions on a WordPress site, compromising its security integrity and user data. Mitigation strategies should be promptly applied to safeguard against this vulnerability.

Affected Version(s)

Ninja Forms – The Contact Form Builder That Grows With You * <= 3.8.22

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ninja-forms/ta...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 29, 2024
Vulnerability Reserved
Dec 5, 2024

Credit

Michael Mazzolini