CVE-2024-3866Cross-site Scripting in Ninja Forms

CWE-79Cross-site Scripting3 documents3 sources
Severity
6.1MEDIUMNVD
CNA4.7
EPSS
1.3%
top 20.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ninjaforms Ninja FormsKstover Ninja Forms THE Contact Form Builder That Grows With YOU
Timeline
PublishedSep 25

Description

The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' header in all versions up to, and including, 3.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Successful exploitation of this vulnerability requires "mainte

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

Patches

Patch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-hj6g-33gj-29m6: The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' header in all versions2024-09-25
CVEList
Ninja Forms Contact Form <= 3.8.15 - Reflected Self-Based Cross-Site Scripting via Referer2024-09-25
CVE-2024-3866 — Cross-site Scripting in Ninja Forms | cvebase