Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress

Software Type	Plugin
Software Slug	ninja-forms (view on wordpress.org)
Software Status	Active
Software Author	kstover
Software Website	ninjaforms.com
Software Downloads	40,560,905
Software Active Installs	800,000
Software Record Last Updated	September 28, 2023

Showing 1-20 of 49 vulnerabilities

Ninja Forms <= 3.6.25 - Authenticated (Administrator+) Stored HTML Injection

4.4

CVE-2023-4109

Aug 7, 2023

Researcher: Sayandeep Dutta

Ninja Forms <= 3.6.25 - Reflected Cross-Site Scripting via 'data'

6.1

CVE-2023-37979

Jul 25, 2023

Researcher: Rafie Muhammad

Ninja Forms <= 3.6.25 - Missing Authorization to Contributor+ Form Submission Export

5.3

CVE-2023-38386

Jul 25, 2023

Researcher: Rafie Muhammad

Ninja Forms <= 3.6.25 - Missing Authorization to Form Submission Export

4.3

CVE-2023-38393

Jul 25, 2023

Researcher: Rafie Muhammad

Ninja Forms <= 3.6.25 - Denial of Service via Large Form Submissions

5.3

CVE-2023-35909

Jul 7, 2023

Researcher: PetiteMais

Ninja Forms <= 3.6.24 - Authenticated (Admin+) Arbitrary File Deletion

6.5

CVE-2023-36505

Jun 22, 2023

Researcher: Theodoros Malachias

Ninja Forms Contact Form <= 3.6.21 - Reflected Cross-Site Scripting via 'title'

6.1

CVE-2023-1835

Apr 24, 2023

Researcher: Erwan LR

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.6.12 - Authenticated (Administrator+) PHP Objection Injection

7.2

CVE-2022-2903

Sep 5, 2022

Researcher: Alessio Santoru

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.6.10 - Code Injection

9.8

CVE ID Unknown

Jun 15, 2022

Researchers:

Ninja Forms Contact Form <= 3.6.9 - Cross-Site Scripting via field label

4.8

CVE-2021-25056

Jun 13, 2022

Researcher: Muhammad Adel

Ninja Ninja Forms Contact Form <= 3.6.10 - Authenticated (Admin+) Stored Cross-Site Scripting via import

5.5

CVE-2021-25066

Jun 10, 2022

Researcher: Muhammad Adel

Ninja Forms Contact Form <= 3.6.9 - Authenticated (Admin+) Cross-Site Scripting via label

5.5

CVE-2021-36827

Jun 7, 2022

Researcher: Asif Nawaz Minhas

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.6.9 - Cross-Site Request Forgery to Field Import and PHP Object Injection

8.8

CVE ID Unknown

Jun 7, 2022

Researchers:

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.6.7 - Email Address Disclosure

5.3

CVE ID Unknown

Mar 22, 2022

Researcher: Agence Web Coheractio

Ninja Forms Contact Form <= 3.6.3 - Authenticated SQL Injection

7.2

CVE-2021-24889

Oct 26, 2021

Researcher: ZhongFu Su

Ninja Forms <= 3.5.8.1 - Cross-Site Scripting

4.8

CVE-2021-24381

Sep 27, 2021

Researcher: Rodel Plasabas

Ninja Forms <= 3.5.7 - Unprotected REST-API to Sensitive Information Disclosure

6.5

CVE-2021-34647

Sep 22, 2021

Researcher: Chloe Chamberland

Ninja Forms <= 3.5.7 - Unprotected REST-API to Email Injection

6.4

CVE-2021-34648

Sep 22, 2021

Researcher: Chloe Chamberland

Ninja Forms Contact Form <= 3.4.33 - Cross-Site Request Forgery to OAuth Service Disconnection

5.4

CVE-2021-24166

Feb 16, 2021

Researcher: Chloe Chamberland

Ninja Forms Contact Form <= 3.4.33 - Administrator Open Redirect

6.1

CVE-2021-24165

Feb 16, 2021

Researcher: Chloe Chamberland

Title	CVE ID	CVSS	Researchers	Date
Ninja Forms <= 3.6.25 - Authenticated (Administrator+) Stored HTML Injection	CVE-2023-4109	4.4	Sayandeep Dutta	August 7, 2023
Ninja Forms <= 3.6.25 - Reflected Cross-Site Scripting via 'data'	CVE-2023-37979	6.1	Rafie Muhammad	July 25, 2023
Ninja Forms <= 3.6.25 - Missing Authorization to Contributor+ Form Submission Export	CVE-2023-38386	5.3	Rafie Muhammad	July 25, 2023
Ninja Forms <= 3.6.25 - Missing Authorization to Form Submission Export	CVE-2023-38393	4.3	Rafie Muhammad	July 25, 2023
Ninja Forms <= 3.6.25 - Denial of Service via Large Form Submissions	CVE-2023-35909	5.3	PetiteMais	July 7, 2023
Ninja Forms <= 3.6.24 - Authenticated (Admin+) Arbitrary File Deletion	CVE-2023-36505	6.5	Theodoros Malachias	June 22, 2023
Ninja Forms Contact Form <= 3.6.21 - Reflected Cross-Site Scripting via 'title'	CVE-2023-1835	6.1	Erwan LR	April 24, 2023
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.6.12 - Authenticated (Administrator+) PHP Objection Injection	CVE-2022-2903	7.2	Alessio Santoru	September 5, 2022
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.6.10 - Code Injection		9.8		June 15, 2022
Ninja Forms Contact Form <= 3.6.9 - Cross-Site Scripting via field label	CVE-2021-25056	4.8	Muhammad Adel	June 13, 2022
Ninja Ninja Forms Contact Form <= 3.6.10 - Authenticated (Admin+) Stored Cross-Site Scripting via import	CVE-2021-25066	5.5	Muhammad Adel	June 10, 2022
Ninja Forms Contact Form <= 3.6.9 - Authenticated (Admin+) Cross-Site Scripting via label	CVE-2021-36827	5.5	Asif Nawaz Minhas	June 7, 2022
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.6.9 - Cross-Site Request Forgery to Field Import and PHP Object Injection		8.8		June 7, 2022
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.6.7 - Email Address Disclosure		5.3	Agence Web Coheractio	March 22, 2022
Ninja Forms Contact Form <= 3.6.3 - Authenticated SQL Injection	CVE-2021-24889	7.2	ZhongFu Su	October 26, 2021
Ninja Forms <= 3.5.8.1 - Cross-Site Scripting	CVE-2021-24381	4.8	Rodel Plasabas	September 27, 2021
Ninja Forms <= 3.5.7 - Unprotected REST-API to Sensitive Information Disclosure	CVE-2021-34647	6.5	Chloe Chamberland	September 22, 2021
Ninja Forms <= 3.5.7 - Unprotected REST-API to Email Injection	CVE-2021-34648	6.4	Chloe Chamberland	September 22, 2021
Ninja Forms Contact Form <= 3.4.33 - Cross-Site Request Forgery to OAuth Service Disconnection	CVE-2021-24166	5.4	Chloe Chamberland	February 16, 2021
Ninja Forms Contact Form <= 3.4.33 - Administrator Open Redirect	CVE-2021-24165	6.1	Chloe Chamberland	February 16, 2021

All the threat data shared in this database is powered by Wordfence Intelligence Enterprise.
Interested in integrating this data into your platform or network?
Contact us now to discuss API access to our Wordfence Intelligence Enterprise Data Feeds.

Inquire Now

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation