CVE-2018-19287
published 2018-11-15CVE-2018-19287: XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka…
PriorityP346medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
8.07%
94.1th percentile
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ninjaforma | ninja_forms | < 3.3.18 | 3.3.18 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting
exploitdb·2018-11-15·CVSS 6.1
CVE-2018-19287 [MEDIUM] WordPress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting
WordPress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting
---
# Exploit Title: Wordpress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting
# Date: 2018-11-15
# Exploit Author: MTK
# Vendor Homepage: https://ninjaforms.com
# Softwae Link: https://wordpress.org/plugins/ninja-forms/
# Version: Up to V3.3.17
# Tested on: Debian 9 - Apache2 - Wordpress 4.9.8 - Firefox
# CVE : CVE-2018-19287
# Plugin description:
# Ninja Forms is the ultimate FREE form creation tool for WordPress. Build forms within minutes
# using a simple yet powerful drag-and-drop form creator. For beginners, quickly and easily
# design complex forms with absolutely no code. For developers, utilize built-in hooks,
# filters, and even custom field templates to do whatever you need at any step in
# the form building or submi
Nuclei
WordPress Ninja Forms <3.3.18 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2018-19287 [MEDIUM] WordPress Ninja Forms <3.3.18 - Cross-Site Scripting
WordPress Ninja Forms '
- type: word
part: header_2
words:
- text/html
- type: status
status:
- 200
# digest: 4b0a00483046022100fc02d4abf6cf4ec2a6aa5a4d641ec223f972107b2ef56f2a1ab935f9b8c7b935022100f0865015c7366fbe7235e9cabd0842b7fdf8ae9dfb0784a5114d2be03a7454e1:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/1974335/ninja-forms/trunk/includes/Admin/Menus/Submissions.phphttps://wordpress.org/plugins/ninja-forms/#developershttps://www.exploit-db.com/exploits/45880/https://plugins.trac.wordpress.org/changeset/1974335/ninja-forms/trunk/includes/Admin/Menus/Submissions.phphttps://wordpress.org/plugins/ninja-forms/#developershttps://www.exploit-db.com/exploits/45880/
2018-11-15
Published