Unknown Ninja Forms vulnerabilities
6 known vulnerabilities affecting unknown/ninja_forms.
Total CVEs
6
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1MEDIUM5
Vulnerabilities
Page 1 of 1
CVE-2025-14072MEDIUMCVSS 5.3fixed in 3.13.32026-01-02
CVE-2025-14072 [MEDIUM] CWE-287 CVE-2025-14072: The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid a
The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions.
cvelistv5nvd
CVE-2025-9083CRITICALCVSS 9.8fixed in 3.11.12025-09-18
CVE-2025-9083 [CRITICAL] CWE-502 CVE-2025-9083: The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could
The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
cvelistv5nvd
CVE-2025-2561MEDIUMCVSS 4.8fixed in 3.10.12025-05-19
CVE-2025-2561 [MEDIUM] CWE-79 CVE-2025-2561: The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, w
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
cvelistv5nvd
CVE-2025-2560MEDIUMCVSS 4.8fixed in 3.10.12025-05-19
CVE-2025-2560 [MEDIUM] CWE-79 CVE-2025-2560: The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, w
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
cvelistv5nvd
CVE-2025-2524MEDIUMCVSS 4.8fixed in 3.10.12025-05-19
CVE-2025-2524 [MEDIUM] CWE-79 CVE-2025-2524: The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, w
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
cvelistv5nvd
CVE-2024-7354MEDIUMCVSS 6.1PoC≥ 3.8.6, < 3.8.112024-09-02
CVE-2024-7354 [MEDIUM] CWE-79 CVE-2024-7354: The Ninja Forms WordPress plugin before 3.8.11 does not escape an URL before outputting it back in
The Ninja Forms WordPress plugin before 3.8.11 does not escape an URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
cvelistv5nvd