Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-1835

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
6.1MEDIUM
EPSS
18.1%
top 4.82%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Unknown Ninja Forms Contact FormNinjaforms Ninja Forms
Timeline
PublishedMay 15

Description

The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

🔴Vulnerability Details

2
CVEList
Ninja Forms < 3.6.22 - Reflected XSS2023-05-15
GHSA
GHSA-wpmw-7q3p-9ww7: The Ninja Forms Contact Form WordPress plugin before 32023-05-15

💥Exploits & PoCs

1
Nuclei
Ninja Forms < 3.6.22 - Cross-Site Scripting
CVE-2023-1835 (MEDIUM CVSS 6.1) | The Ninja Forms Contact Form WordPr | cvebase.io