Stored Cross-Site Scripting in Ninja Forms by WP Ninjas
CVE-2024-13470
5.4MEDIUM
Key Information:
- Vendor
- Kstover
- Status
- Ninja Forms – The Contact Form Builder That Grows With You
- Vendor
- CVE Published:
- 30 January 2025
Summary
The Ninja Forms plugin for WordPress is impacted by a Stored Cross-Site Scripting (XSS) vulnerability due to insufficient input sanitization and output escaping on user-supplied attributes within the plugin's shortcode. Authenticated attackers with contributor-level access or higher can inject arbitrary scripts, which will be executed within the context of the user accessing the infected pages. This poses significant risks as it can potentially lead to the theft of user information and other malicious activities. Immediate action is recommended to mitigate this vulnerability by updating to the latest version of the plugin.
Affected Version(s)
Ninja Forms – The Contact Form Builder That Grows With You * <= 3.8.24
References
CVSS V3.1
Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Peter Thaleikis