Ninja Forms – The Contact Form Builder That Grows With You

Software Type	Plugin
Software Slug	ninja-forms (view on wordpress.org)
Software Status	Active
Software Author	kstover
Software Website	ninjaforms.com
Software Downloads	44,320,737
Software Active Installs	800,000
Software Record Last Updated	May 2, 2024

Showing 21-40 of 52 Vulnerabilities

Ninja Forms <= 3.5.7 - Unprotected REST-API to Email Injection

6.4

CVE-2021-34648

Sep 22, 2021

Researcher: Chloe Chamberland

Ninja Forms Contact Form <= 3.4.22 - Stored Cross-Site Scripting

6.4

CVE-2020-8594

Feb 3, 2020

Researcher: Spider Sec Ltd

Ninja Forms <= 3.6.25 - Reflected Cross-Site Scripting via 'data'

6.1

CVE-2023-37979

Jul 25, 2023

Researcher: Rafie Muhammad

Ninja Forms Contact Form <= 3.6.21 - Reflected Cross-Site Scripting via 'title'

6.1

CVE-2023-1835

Apr 24, 2023

Researcher: Erwan LR

Ninja Forms Contact Form <= 3.4.33 - Administrator Open Redirect

6.1

CVE-2021-24165

Feb 16, 2021

Researcher: Chloe Chamberland

Ninja Forms Contact Form <= 3.4.24.1 - Cross-Site Request Forgery leading to Stored Cross-Site Scripting

6.1

CVE-2020-12462

Apr 28, 2020

Researcher: Ram

Ninja Forms Contact Form <= 3.3.17 - Cross-Site Scripting via begin_date, end_date, or form_id Parameter

6.1

CVE-2018-19287

Nov 15, 2018

Researchers:

Ninja Forms Contact Form <= 3.2.13 - Cross-Site Scripting

6.1

CVE-2018-7280

Feb 20, 2018

Researcher: Kasper Karlsson

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.0.30 - HTML Injection

6.1

CVE-2017-18574

Mar 7, 2017

Researchers:

Ninja Forms Contact Form <= 2.9.51 - Multiple Reflected Cross-Site Scripting

6.1

CVE ID Unknown

Jul 19, 2016

Researcher: Han Sahin

Ninja Forms Contact Form <= 2.9.18 - Cross-Site Scripting

6.1

CVE ID Unknown

Jun 5, 2015

Researchers:

Ninja Forms <= 2.9.10 - Reflected Cross-Site Scripting

6.1

CVE ID Unknown

Apr 20, 2015

Researchers:

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 2.8.8 - Reflected Cross-Site Scripting

6.1

CVE-2014-9688

Dec 2, 2014

Researcher: Sergio Navarro

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 2.8.6 - Reflected Cross-Site Scripting

6.1

CVE-2014-8815

Nov 6, 2014

Researcher: Kacper Szurek

Ninja Forms Contact Form <= 3.7.1 - Unauthenticated Second Order SQL Injection

5.9

CVE-2024-0685

Feb 1, 2024

Researcher: stealthcopter

Ninja Ninja Forms Contact Form <= 3.6.10 - Authenticated (Admin+) Stored Cross-Site Scripting via import

5.5

CVE-2021-25066

Jun 10, 2022

Researcher: Muhammad Adel

Ninja Forms Contact Form <= 3.6.9 - Authenticated (Admin+) Cross-Site Scripting via label

5.5

CVE-2021-36827

Jun 7, 2022

Researcher: Asif Nawaz Minhas

Ninja Forms Contact Form <= 3.4.33 - Cross-Site Request Forgery to OAuth Service Disconnection

5.4

CVE-2021-24166

Feb 16, 2021

Researcher: Chloe Chamberland

Ninja Forms Contact Form <= 2.9.21 - Reflected Cross-Site Scripting

5.4

CVE ID Unknown

Aug 4, 2015

Researchers: Kenneth Jepsen, Mikkel Vej, Morten Nortoft

Ninja Forms <= 3.6.25 - Missing Authorization to Contributor+ Form Submission Export

5.3

CVE-2023-38386

Jul 25, 2023

Researcher: Rafie Muhammad

Title	CVE ID	CVSS	Researchers	Date
Ninja Forms <= 3.5.7 - Unprotected REST-API to Email Injection	CVE-2021-34648	6.4	Chloe Chamberland	September 22, 2021
Ninja Forms Contact Form <= 3.4.22 - Stored Cross-Site Scripting	CVE-2020-8594	6.4	Spider Sec Ltd	February 3, 2020
Ninja Forms <= 3.6.25 - Reflected Cross-Site Scripting via 'data'	CVE-2023-37979	6.1	Rafie Muhammad	July 25, 2023
Ninja Forms Contact Form <= 3.6.21 - Reflected Cross-Site Scripting via 'title'	CVE-2023-1835	6.1	Erwan LR	April 24, 2023
Ninja Forms Contact Form <= 3.4.33 - Administrator Open Redirect	CVE-2021-24165	6.1	Chloe Chamberland	February 16, 2021
Ninja Forms Contact Form <= 3.4.24.1 - Cross-Site Request Forgery leading to Stored Cross-Site Scripting	CVE-2020-12462	6.1	Ram	April 28, 2020
Ninja Forms Contact Form <= 3.3.17 - Cross-Site Scripting via begin_date, end_date, or form_id Parameter	CVE-2018-19287	6.1		November 15, 2018
Ninja Forms Contact Form <= 3.2.13 - Cross-Site Scripting	CVE-2018-7280	6.1	Kasper Karlsson	February 20, 2018
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.0.30 - HTML Injection	CVE-2017-18574	6.1		March 7, 2017
Ninja Forms Contact Form <= 2.9.51 - Multiple Reflected Cross-Site Scripting		6.1	Han Sahin	July 19, 2016
Ninja Forms Contact Form <= 2.9.18 - Cross-Site Scripting		6.1		June 5, 2015
Ninja Forms <= 2.9.10 - Reflected Cross-Site Scripting		6.1		April 20, 2015
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 2.8.8 - Reflected Cross-Site Scripting	CVE-2014-9688	6.1	Sergio Navarro	December 2, 2014
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 2.8.6 - Reflected Cross-Site Scripting	CVE-2014-8815	6.1	Kacper Szurek	November 6, 2014
Ninja Forms Contact Form <= 3.7.1 - Unauthenticated Second Order SQL Injection	CVE-2024-0685	5.9	stealthcopter	February 1, 2024
Ninja Ninja Forms Contact Form <= 3.6.10 - Authenticated (Admin+) Stored Cross-Site Scripting via import	CVE-2021-25066	5.5	Muhammad Adel	June 10, 2022
Ninja Forms Contact Form <= 3.6.9 - Authenticated (Admin+) Cross-Site Scripting via label	CVE-2021-36827	5.5	Asif Nawaz Minhas	June 7, 2022
Ninja Forms Contact Form <= 3.4.33 - Cross-Site Request Forgery to OAuth Service Disconnection	CVE-2021-24166	5.4	Chloe Chamberland	February 16, 2021
Ninja Forms Contact Form <= 2.9.21 - Reflected Cross-Site Scripting		5.4	Kenneth Jepsen, Mikkel Vej, Morten Nortoft	August 4, 2015
Ninja Forms <= 3.6.25 - Missing Authorization to Contributor+ Form Submission Export	CVE-2023-38386	5.3	Rafie Muhammad	July 25, 2023

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

Ninja Forms – The Contact Form Builder That Grows With You

Information

Showing 21-40 of 52 Vulnerabilities