CVE-2021-25066 — Cross-site Scripting in Ninja Forms

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

4.8MEDIUMNVD

EPSS

0.2%

top 57.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ninjaforms Ninja Forms

Timeline

PublishedJul 4

Latest updateJul 5

Description

The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages1 packages

▶NVDninjaforms/ninja_forms< 3.6.10

🔴Vulnerability Details

GHSA

GHSA-fgg3-jvqw-q86r: The Ninja Forms Contact Form WordPress plugin before 3↗2022-07-05

▶

CVEList

Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting via Import↗2022-07-04

▶