Ninjaforms Ninja Forms vulnerabilities
57 known vulnerabilities affecting ninjaforms/ninja_forms.
Total CVEs
57
CISA KEV
0
Public exploits
5
Exploited in wild
4
Severity breakdown
CRITICAL6HIGH11MEDIUM40
Vulnerabilities
Page 1 of 3
CVE-2025-11924P2HIGHCVSS 7.5Exploitedfixed in 3.13.12025-12-17
CVE-2025-11924 [HIGH] CWE-639 CVE-2025-11924: The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the `ninja-forms-views` REST endpoints return form metadata and submission content. This makes
nvd
CVE-2021-34648P1MEDIUMCVSS 4.3Exploited≤ 3.5.72021-09-22
CVE-2021-34648 [MEDIUM] CWE-863 CVE-2021-34648: The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_acti
The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /ninja-forms-submissions/email-action REST API which
nvd
CVE-2021-34647P2MEDIUMCVSS 6.5Exploited≤ 3.5.72021-09-22
CVE-2021-34647 [MEDIUM] CWE-863 CVE-2021-34647: The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_expo
The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the /ninja-forms-submissions/export REST API which c
nvd
CVE-2021-24164P2MEDIUMCVSS 4.3Exploitedfixed in 3.4.34.12021-04-05
CVE-2021-24164 [MEDIUM] CWE-200 CVE-2021-24164: In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribe
In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to establish a connection. They could also retrieve the client_id for an already established OAuth connection.
nvd
CVE-2016-1209P2CRITICALCVSS 9.8PoC≤ 2.9.422016-05-14
CVE-2016-1209 [CRITICAL] CWE-20 CVE-2016-1209: The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object i
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST request.
nvd
CVE-2023-37979P3MEDIUMCVSS 6.1PoCfixed in 3.6.262023-07-27
CVE-2023-37979 [MEDIUM] CWE-79 CVE-2023-37979: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact For
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions.
nvd
CVE-2024-0685P3CRITICALCVSS 9.8≤ 3.7.12024-02-02
CVE-2024-0685 [CRITICAL] CWE-89 CVE-2024-0685: The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is
The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Second Order SQL Injection via the email address value submitted through forms in all versions up to, and including, 3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL q
nvd
CVE-2025-9083P3CRITICALCVSS 9.8fixed in 3.11.12025-09-18
CVE-2025-9083 [CRITICAL] CWE-502 CVE-2025-9083: The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could
The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
nvd
CVE-2024-37934P3CRITICALCVSS 9.8fixed in 3.8.52024-07-09
CVE-2024-37934 [CRITICAL] CWE-94 CVE-2024-37934: Improper Control of Generation of Code ('Code Injection') vulnerability in Saturday Drive Ninja Form
Improper Control of Generation of Code ('Code Injection') vulnerability in Saturday Drive Ninja Forms allows Code Injection.This issue affects Ninja Forms: from n/a through 3.8.4.
nvd
CVE-2021-24165P3MEDIUMCVSS 6.1PoCfixed in 3.4.342021-04-05
CVE-2021-24165 [MEDIUM] CWE-601 CVE-2021-24165: In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX ac
In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.
nvd
CVE-2023-1835P3MEDIUMCVSS 6.1PoCfixed in 3.6.222023-05-15
CVE-2023-1835 [MEDIUM] CWE-79 CVE-2023-1835: The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input befo
The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
nvd
CVE-2024-7354P3MEDIUMCVSS 6.1PoC≥ 3.8.6, < 3.8.112024-09-02
CVE-2024-7354 [MEDIUM] CWE-79 CVE-2024-7354: The Ninja Forms WordPress plugin before 3.8.11 does not escape an URL before outputting it back in
The Ninja Forms WordPress plugin before 3.8.11 does not escape an URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
nvd
CVE-2023-38393P3HIGHCVSS 8.8≤ 3.6.262024-06-19
CVE-2023-38393 [HIGH] CWE-862 CVE-2023-38393: Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: fr
Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25.
nvd
CVE-2023-38386P3CRITICALCVSS 9.8fixed in 3.6.262024-06-19
CVE-2023-38386 [CRITICAL] CWE-862 CVE-2023-38386: Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: fr
Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25.
nvd
CVE-2021-24163P3HIGHCVSS 8.8fixed in 3.4.342021-04-05
CVE-2021-24163 [HIGH] CWE-200 CVE-2021-24163: The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check
The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34
nvd
CVE-2018-20981P3CRITICALCVSS 9.1fixed in 3.3.92019-08-22
CVE-2018-20981 [CRITICAL] CWE-20 CVE-2018-20981: The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data r
The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data requests.
nvd
CVE-2023-36505P3HIGHCVSS 7.2fixed in 3.6.252024-04-17
CVE-2023-36505 [HIGH] CWE-20 CVE-2023-36505: Improper Input Validation vulnerability in Saturday Drive Ninja Forms Contact Form.This issue affect
Improper Input Validation vulnerability in Saturday Drive Ninja Forms Contact Form.This issue affects Ninja Forms Contact Form : from n/a through 3.6.24.
nvd
CVE-2018-20980P3HIGHCVSS 7.5fixed in 3.2.152019-08-22
CVE-2018-20980 [HIGH] CWE-20 CVE-2018-20980: The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering.
The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering.
nvd
CVE-2024-25572P3HIGHCVSS 8.8fixed in 3.4.312024-04-11
CVE-2024-25572 [HIGH] CWE-352 CVE-2024-25572: Cross-site request forgery (CSRF) vulnerability exists in Ninja Forms prior to 3.4.31. If a website
Cross-site request forgery (CSRF) vulnerability exists in Ninja Forms prior to 3.4.31. If a website administrator views a malicious page while logging in, unintended operations may be performed.
nvd
CVE-2024-12238P3MEDIUMCVSS 6.3fixed in 3.8.232024-12-29
CVE-2024-12238 [MEDIUM] CWE-94 CVE-2024-12238: The The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerabl
The The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.22. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticat
nvd
1 / 3Next →