Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-24165 — Open Redirect in Ninja Forms

CWE-601 — Open Redirect4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

1.2%

top 21.28%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Ninjaforms Ninja Forms

Timeline

PublishedApr 5

Latest updateMay 24

Description

In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDninjaforms/ninja_forms< 3.4.34

🔴Vulnerability Details

GHSA

GHSA-f7h7-fph4-2w62: In the Ninja Forms Contact Form WordPress plugin before 3↗2022-05-24

▶

CVEList

Ninja Forms < 3.4.34 - Administrator Open Redirect↗2021-04-05

▶

💥Exploits & PoCs

Nuclei

WordPress Ninja Forms <3.4.34 - Open Redirect

▶