cbcvebase.

Ninjaforms Ninja Forms vulnerabilities

57 known vulnerabilities affecting ninjaforms/ninja_forms.

Total CVEs
57
CISA KEV
0
Public exploits
5
Exploited in wild
4
Severity breakdown
CRITICAL6HIGH11MEDIUM40

Vulnerabilities

Page 2 of 3
CVE-2018-16308P3HIGHCVSS 8.6fixed in 3.3.14.12018-09-01
CVE-2018-16308 [HIGH] CWE-1236 CVE-2018-16308: The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection. The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection.
nvd
CVE-2022-2903P3HIGHCVSS 7.2fixed in 3.6.132022-09-26
CVE-2022-2903 [HIGH] CWE-502 CVE-2022-2903: The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
nvd
CVE-2024-39628P3HIGHCVSS 8.8fixed in 3.8.72024-08-26
CVE-2024-39628 [HIGH] CWE-352 CVE-2024-39628: Cross-Site Request Forgery (CSRF) vulnerability in Saturday Drive Ninja Forms allows Cross Site Requ Cross-Site Request Forgery (CSRF) vulnerability in Saturday Drive Ninja Forms allows Cross Site Request Forgery.This issue affects Ninja Forms: from n/a through 3.8.6.
nvd
CVE-2021-24889P3HIGHCVSS 7.2fixed in 3.6.42021-11-29
CVE-2021-24889 [HIGH] CWE-89 CVE-2021-24889: The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST p The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks
nvd
CVE-2014-9688P4HIGHCVSS 7.5≤ 2.8.92015-03-05
CVE-2014-9688 [HIGH] CVE-2014-9688: Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact a Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.
nvd
CVE-2025-14072P4MEDIUMCVSS 5.3fixed in 3.13.32026-01-02
CVE-2025-14072 [MEDIUM] CWE-287 CVE-2025-14072: The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid a The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions.
nvd
CVE-2020-36175P4MEDIUMCVSS 5.3fixed in 3.4.27.12021-01-06
CVE-2020-36175 [MEDIUM] CWE-20 CVE-2020-36175: The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the e The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field.
nvd
CVE-2020-36174P4MEDIUMCVSS 6.5fixed in 3.4.27.12021-01-06
CVE-2020-36174 [MEDIUM] CWE-352 CVE-2020-36174: The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration. The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration.
nvd
CVE-2024-11052P4MEDIUMCVSS 6.1fixed in 3.8.202024-12-12
CVE-2024-11052 [MEDIUM] CWE-79 CVE-2024-11052: The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the calculations parameter in all versions up to, and including, 3.8.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in
nvd
CVE-2024-29220P4MEDIUMCVSS 6.1fixed in 3.8.12024-04-11
CVE-2024-29220 [MEDIUM] CWE-79 CVE-2024-29220: Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in custom fields for labels Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in custom fields for labels. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product.
nvd
CVE-2020-8594P4MEDIUMCVSS 5.4v3.4.222020-02-14
CVE-2020-8594 [MEDIUM] CWE-79 CVE-2020-8594: The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[ The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format].
nvd
CVE-2018-19796P4MEDIUMCVSS 6.1fixed in 3.3.19.12018-12-03
CVE-2018-19796 [MEDIUM] CWE-601 CVE-2018-19796: An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions download page) redirect parameter.
nvd
CVE-2024-26019P4MEDIUMCVSS 5.4fixed in 3.8.12024-04-11
CVE-2024-26019 [MEDIUM] CWE-79 CVE-2024-26019: Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in submit processing. If th Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in submit processing. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product.
nvd
CVE-2023-35909P4MEDIUMCVSS 5.3fixed in 3.6.262023-12-07
CVE-2023-35909 [MEDIUM] CWE-400 CVE-2023-35909: Uncontrolled Resource Consumption vulnerability in Saturday Drive Ninja Forms Contact Form – The Dra Uncontrolled Resource Consumption vulnerability in Saturday Drive Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress leading to DoS.This issue affects Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress: from n/a through 3.6.25.
nvd
CVE-2025-5398P4MEDIUMCVSS 5.4fixed in 3.10.2.22025-06-27
CVE-2025-5398 [MEDIUM] CWE-79 CVE-2025-5398: The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of a templating engine in all versions up to, and including, 3.10.2.1 due to insufficient output escaping on user data passed through the template. This makes it possible for authenticated attackers, with contribu
nvd
CVE-2025-10498P4MEDIUMCVSS 5.4fixed in 3.12.12025-09-27
CVE-2025-10498 [MEDIUM] CWE-352 CVE-2025-10498: The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation when exporting CSV files. This makes it possible for unauthenticated attackers to delete those files granted they can trick an a
nvd
CVE-2017-18574P4MEDIUMCVSS 6.1fixed in 3.0.312019-08-22
CVE-2017-18574 [MEDIUM] CWE-20 CVE-2017-18574: The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder. The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder.
nvd
CVE-2018-7280P4MEDIUMCVSS 6.1fixed in 3.2.142018-02-21
CVE-2018-7280 [MEDIUM] CWE-79 CVE-2018-7280: The Ninja Forms plugin before 3.2.14 for WordPress has XSS. The Ninja Forms plugin before 3.2.14 for WordPress has XSS.
nvd
CVE-2020-12462P4MEDIUMCVSS 6.1fixed in 3.4.24.22020-04-29
CVE-2020-12462 [MEDIUM] CWE-352 CVE-2020-12462: The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS. The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS.
nvd
CVE-2024-3866P4MEDIUMCVSS 6.1fixed in 3.8.162024-09-25
CVE-2024-3866 [MEDIUM] CWE-79 CVE-2024-3866: The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site S The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' header in all versions up to, and including, 3.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they
nvd
Ninjaforms Ninja Forms vulnerabilities | cvebase