Stored Cross-Site Scripting Vulnerability in File Uploads Plugin
CVE-2024-1596

7.2HIGH

Key Information:

Vendor

WordPress
Status
Ninja Forms - File Uploads
Vendor
CVE Published:
7 September 2024

What is CVE-2024-1596?

The Ninja Forms - File Uploads plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability caused by inadequate input sanitization and output escaping. This flaw affects all versions up to and including 3.3.16, allowing unauthorized attackers to upload malicious files (e.g., RTX files) that could inject arbitrary scripts into web pages. When users access these compromised pages, the injected scripts execute, posing significant security risks.

Affected Version(s)

Ninja Forms - File Uploads * <= 3.3.16

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://ninjaforms.com/extensions/file-uploads/
https://ninjaforms.com/extensions/file-uploads/?changelog=1/

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

wesley
.