Ninjaforms Ninja Forms vulnerabilities

CVE-2021-24165 [MEDIUM] CWE-601 CVE-2021-24165: In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX ac In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.

CVE-2021-24164 [MEDIUM] CWE-200 CVE-2021-24164: In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribe In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to establish a connection. They could also retrieve the client_id for an already established OAuth connection.

CVE-2021-24166 [MEDIUM] CWE-352 CVE-2021-24166: The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder f The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection.

CVE-2020-36174 [MEDIUM] CWE-352 CVE-2020-36174: The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration. The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration.

CVE-2020-36175 [MEDIUM] CWE-20 CVE-2020-36175: The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the e The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field.

CVE-2020-36173 [MEDIUM] CWE-116 CVE-2020-36173: The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields. The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields.

CVE-2020-12462 [MEDIUM] CWE-352 CVE-2020-12462: The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS. The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS.

CVE-2020-8594 [MEDIUM] CWE-79 CVE-2020-8594: The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[ The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format].

CVE-2018-20981 [CRITICAL] CWE-20 CVE-2018-20981: The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data r The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data requests.

CVE-2018-20980 [HIGH] CWE-20 CVE-2018-20980: The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering. The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering.

CVE-2017-18574 [MEDIUM] CWE-20 CVE-2017-18574: The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder. The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder.

CVE-2018-19796 [MEDIUM] CWE-601 CVE-2018-19796: An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions download page) redirect parameter.

CVE-2018-16308 [HIGH] CWE-1236 CVE-2018-16308: The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection. The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection.

CVE-2018-7280 [MEDIUM] CWE-79 CVE-2018-7280: The Ninja Forms plugin before 3.2.14 for WordPress has XSS. The Ninja Forms plugin before 3.2.14 for WordPress has XSS.

CVE-2016-1209 [CRITICAL] CWE-20 CVE-2016-1209: The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object i The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST request.

CVE-2014-9688 [HIGH] CVE-2014-9688: Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact a Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

CVE-2015-2220 [MEDIUM] CWE-79 CVE-2015-2220: Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms plugin before 2.8.9 for WordP Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms plugin before 2.8.9 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the ninja_forms_field_1 parameter in a ninja_forms_ajax_submit action to wp-admin/admin-ajax.php or (2) remote administrators to inject arbitrary web script or HTML via the fields