🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress

Wordfence Intelligence > Vulnerability Database > WordPress Plugins > Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress

Information

Software Type	Plugin
Software Slug	ninja-forms (view on wordpress.org)
Software Status	Active
Software Author	kstover
Software Website	ninjaforms.com
Software Downloads	44,058,826
Software Active Installs	800,000
Software Record Last Updated	April 19, 2024

Showing 21-40 of 52 Vulnerabilities

Ninja Forms <= 3.5.7 - Unprotected REST-API to Email Injection

6.4

CVE-2021-34648

Sep 22, 2021

Researcher: Chloe Chamberland

Ninja Forms <= 3.4.34 - Authenticated OAuth Connection Key Disclosure

4.3

CVE-2021-24164

Feb 16, 2021

Researcher: Chloe Chamberland

Ninja Forms Contact Form <= 3.4.33 - Cross-Site Request Forgery to OAuth Service Disconnection

5.4

CVE-2021-24166

Feb 16, 2021

Researcher: Chloe Chamberland

Ninja Forms Contact Form <= 3.4.33 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure

8.8

CVE-2021-24163

Feb 16, 2021

Researcher: Chloe Chamberland

Ninja Forms Contact Form <= 3.4.33 - Administrator Open Redirect

6.1

CVE-2021-24165

Feb 16, 2021

Researcher: Chloe Chamberland

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.4.27 - Cross-Site Request Forgery to Plugin Installation

8.8

CVE-2020-36174

Sep 22, 2020

Researcher: Slavco Mihajloski

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.4.27 - Validation Bypass via Email Field

5.3

CVE-2020-36175

Sep 22, 2020

Researchers:

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.4.27.1 - Stored Cross-Site Scripting

6.5

CVE-2020-36173

Sep 20, 2020

Researchers:

Ninja Forms Contact Form <= 3.4.24.1 - Cross-Site Request Forgery leading to Stored Cross-Site Scripting

6.1

CVE-2020-12462

Apr 28, 2020

Researcher: Ram

Ninja Forms Contact Form <= 3.4.22 - Stored Cross-Site Scripting

6.4

CVE-2020-8594

Feb 3, 2020

Researcher: Spider Sec Ltd

Ninja Forms Contact Form <= 3.3.21.1 - SQL Injection

9.8

CVE-2019-15025

Jan 7, 2019

Researchers:

Ninja Forms Contact Form <= 3.3.19 - Authenticated Open Redirect

4.7

CVE-2018-19796

Dec 1, 2018

Researcher: MTK (Muhammad Talha Khan)

Ninja Forms Contact Form <= 3.3.17 - Cross-Site Scripting via begin_date, end_date, or form_id Parameter

6.1

CVE-2018-19287

Nov 15, 2018

Researchers:

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.3.13 - Cross-Site Scripting

8.3

CVE ID Unknown

Aug 27, 2018

Researcher: Adam Roberts

Ninja Forms Contact Form <= 3.3.13 - CSV Injection

8.6

CVE-2018-16308

Aug 19, 2018

Researchers:

Ninja Forms <= 3.3.8 - Insufficient Restrictions during Export Personal Data requests

9.1

CVE-2018-20981

Jul 6, 2018

Researchers:

Ninja Forms Contact Form <= 3.2.14 - Parameter Tampering

7.5

CVE-2018-20980

Feb 26, 2018

Researchers:

Ninja Forms Contact Form <= 3.2.13 - Cross-Site Scripting

6.1

CVE-2018-7280

Feb 20, 2018

Researcher: Kasper Karlsson

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.0.31 - Arbitrary Wordpress Shortcode Injection

5.3

CVE ID Unknown

Apr 17, 2017

Researcher: James Golovich

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.0.30 - HTML Injection

6.1

CVE-2017-18574

Mar 7, 2017

Researchers:

Title	CVE ID	CVSS	Researchers	Date
Ninja Forms <= 3.5.7 - Unprotected REST-API to Email Injection	CVE-2021-34648	6.4	Chloe Chamberland	September 22, 2021
Ninja Forms <= 3.4.34 - Authenticated OAuth Connection Key Disclosure	CVE-2021-24164	4.3	Chloe Chamberland	February 16, 2021
Ninja Forms Contact Form <= 3.4.33 - Cross-Site Request Forgery to OAuth Service Disconnection	CVE-2021-24166	5.4	Chloe Chamberland	February 16, 2021
Ninja Forms Contact Form <= 3.4.33 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure	CVE-2021-24163	8.8	Chloe Chamberland	February 16, 2021
Ninja Forms Contact Form <= 3.4.33 - Administrator Open Redirect	CVE-2021-24165	6.1	Chloe Chamberland	February 16, 2021
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.4.27 - Cross-Site Request Forgery to Plugin Installation	CVE-2020-36174	8.8	Slavco Mihajloski	September 22, 2020
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.4.27 - Validation Bypass via Email Field	CVE-2020-36175	5.3		September 22, 2020
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.4.27.1 - Stored Cross-Site Scripting	CVE-2020-36173	6.5		September 20, 2020
Ninja Forms Contact Form <= 3.4.24.1 - Cross-Site Request Forgery leading to Stored Cross-Site Scripting	CVE-2020-12462	6.1	Ram	April 28, 2020
Ninja Forms Contact Form <= 3.4.22 - Stored Cross-Site Scripting	CVE-2020-8594	6.4	Spider Sec Ltd	February 3, 2020
Ninja Forms Contact Form <= 3.3.21.1 - SQL Injection	CVE-2019-15025	9.8		January 7, 2019
Ninja Forms Contact Form <= 3.3.19 - Authenticated Open Redirect	CVE-2018-19796	4.7	MTK (Muhammad Talha Khan)	December 1, 2018
Ninja Forms Contact Form <= 3.3.17 - Cross-Site Scripting via begin_date, end_date, or form_id Parameter	CVE-2018-19287	6.1		November 15, 2018
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.3.13 - Cross-Site Scripting		8.3	Adam Roberts	August 27, 2018
Ninja Forms Contact Form <= 3.3.13 - CSV Injection	CVE-2018-16308	8.6		August 19, 2018
Ninja Forms <= 3.3.8 - Insufficient Restrictions during Export Personal Data requests	CVE-2018-20981	9.1		July 6, 2018
Ninja Forms Contact Form <= 3.2.14 - Parameter Tampering	CVE-2018-20980	7.5		February 26, 2018
Ninja Forms Contact Form <= 3.2.13 - Cross-Site Scripting	CVE-2018-7280	6.1	Kasper Karlsson	February 20, 2018
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.0.31 - Arbitrary Wordpress Shortcode Injection		5.3	James Golovich	April 17, 2017
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.0.30 - HTML Injection	CVE-2017-18574	6.1		March 7, 2017

«
‹
1
2
3
›
»

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.