CVE-2021-36827 — Cross-site Scripting in Drive Ninja Forms Contact Form

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

4.8MEDIUMNVD

EPSS

0.2%

top 57.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Saturday Drive Ninja Forms Contact Form Ninjaforms Ninja Forms

Timeline

PublishedJun 16

Latest updateJun 17

Description

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Saturday Drive's Ninja Forms Contact Form plugin <= 3.6.9 at WordPress via "label".

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5saturday_drive/ninja_forms_contact_formn/a — 3.6.9

▶NVDninjaforms/ninja_forms3.6.9

🔴Vulnerability Details

GHSA

GHSA-f2h8-cw2w-qx44: Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Saturday Drive's Ninja Forms Contact Form plugin <= 3↗2022-06-17

▶

CVEList

WordPress Ninja Forms Contact Form plugin <= 3.6.9 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability↗2022-06-16

▶