Ninja Forms – The Contact Form Builder That Grows With You WordPress Plugin Security Vulnerabilities | WPScan

68

December 9, 2025

600000

Published

2025-12-12

Title

Ninja Forms < 3.13.3 - Unauthenticated Token Generation and Submission Disclosure

Fixed in

Fixed in 3.13.3

CVSS

7.5 (high)

Published

2025-09-26

Title

Ninja Forms < 3.12.1 - Limited File Deletion via CSRF

Fixed in

Fixed in 3.12.1

CVSS

4.3 (medium)

Published

2025-09-26

Title

Ninja Forms < 3.12.1 - Statistics Collection Opt In via CSRF

Fixed in

Fixed in 3.12.1

CVSS

4.3 (medium)

Published

2025-08-28

Title

Ninja-forms < 3.11.1 - Unauthenticated PHP Object Injection

Fixed in

Fixed in 3.11.1

CVSS

8.1 (high)

Published

2025-06-26

Title

Ninja Forms < 3.10.2.2 - Contributor+ Stored XSS via CSTI

Fixed in

Fixed in 3.10.2.2

CVSS

5.9 (medium)

Published

2025-04-28

Title

Ninja Forms < 3.10.1 - Admin+ Stored XSS

Fixed in

Fixed in 3.10.1

CVSS

3.5 (low)

Published

2025-04-28

Title

Ninja Forms < 3.10.1 - Admin+ Stored XSS

Fixed in

Fixed in 3.10.1

CVSS

3.5 (low)

Published

2025-04-28

Title

Ninja Forms < 3.10.1 - Admin+ Stored XSS

Fixed in

Fixed in 3.10.1

CVSS

3.5 (low)

Published

2025-01-29

Title

Ninja Forms < 3.8.25 - Contributor+ Stored XSS

Fixed in

Fixed in 3.8.25

CVSS

5.9 (medium)

Published

2024-12-28

Title

Ninja Forms < 3.8.23 - Subscriber+ Arbitrary Shortcode Execution

Fixed in

Fixed in 3.8.23

CVSS

6.3 (medium)

Published

2024-12-11

Title

Ninja Forms < 3.8.20 - Unauthenticated Stored XSS via Form Calculations

Fixed in

Fixed in 3.8.20

CVSS

7.2 (high)

Published

2024-10-28

Title

Ninja Forms < 3.8.18 - Admin+ Stored XSS

Fixed in

Fixed in 3.8.18

CVSS

3.5 (low)

Published

2024-10-28

Title

Ninja Forms < 3.8.18 - Admin+ Stored XSS

Fixed in

Fixed in 3.8.18

CVSS

3.5 (low)

Published

2024-09-24

Title

Ninja Forms Contact Form < 3.8.16 - Reflected Self-Based Cross-Site Scripting via Referer

Fixed in

Fixed in 3.8.16

CVSS

4.7 (medium)

Published

2024-08-28

Title

Ninja Forms < 3.8.12 - Administrator+ Stored Cross-Site Scripting

Fixed in

Fixed in 3.8.12

CVSS

4.4 (medium)

Published

2024-08-12

Title

Ninja Forms 3.8.6-3.8.10 - Reflected XSS

Fixed in

Fixed in 3.8.11

CVSS

7.1 (high)

Published

2024-07-24

Title

Ninja Forms < 3.8.7 - Cross-Site Request Forgery

Fixed in

Fixed in 3.8.7

CVSS

4.3 (medium)

Published

2024-07-04

Title

Ninja Forms < 3.8.5 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

Fixed in

Fixed in 3.8.5

CVSS

4.3 (medium)

Published

2024-04-08

Title

Ninja Forms – The Contact Form Builder That Grows With You < 3.8.1 - Admin+ Stored Cross-Site Scripting

Fixed in

Fixed in 3.8.1

CVSS

4.4 (medium)

Published

2024-03-28

Title

Ninja Forms Contact Form < 3.8.1 - Author+ Stored XSS

Fixed in

Fixed in 3.8.1

CVSS

3.5 (low)

Published

2024-03-28

Title

Ninja Forms Contact Form < 3.8.1 - Publicly Accessible Form Submission Export via CSRF

Fixed in

Fixed in 3.8.1

CVSS

4.3 (medium)

Published

2024-02-01

Title

Ninja Forms Contact Form < 3.7.2 - Unauthenticated Second Order SQL Injection

Fixed in

Fixed in 3.7.2

CVSS

5.9 (medium)

Published

2023-10-16

Title

Ninja Forms < 3.6.34 - Admin+ Stored XSS

Fixed in

Fixed in 3.6.34

CVSS

0.0 (none)

Published

2023-08-07

Title

Ninja Forms < 3.6.26 - Admin+ Stored HTML Injection

Fixed in

Fixed in 3.6.26

CVSS

0.0 (none)

Published

2023-07-25

Title

Ninja Forms < 3.6.26 - Reflected Cross-Site Scripting

Fixed in

Fixed in 3.6.26

CVSS

7.1 (high)

Published

2023-07-25

Title

Ninja Forms < 3.6.26 - Contributor+ Form Entries Export

Fixed in

Fixed in 3.6.26

CVSS

4.9 (medium)

Published

2023-07-25

Title

Ninja Forms < 3.6.26 - Subscriber+ Form Entries Export

Fixed in

Fixed in 3.6.26

CVSS

6.5 (medium)

Published

2023-06-22

Title

Ninja Forms < 3.6.25 - Admin+ Arbitrary File Deletion

Fixed in

Fixed in 3.6.25

CVSS

3.8 (low)

Published

2023-04-24

Title

Ninja Forms < 3.6.22 - Reflected XSS

Fixed in

Fixed in 3.6.22

CVSS

7.1 (high)

Published

2022-09-05

Title

NinjaForms < 3.6.13 - Admin+ PHP Objection Injection

Fixed in

Fixed in 3.6.13

CVSS

6.6 (medium)

Published

2022-06-15

Title

Ninja Forms < 3.6.11 - Unauthenticated PHP Object Injection

Fixed in

Fixed in 3.6.11

CVSS

9.8 (critical)

Published

2022-06-13

Title

Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting

Fixed in

Fixed in 3.6.10

CVSS

3.4 (low)

Published

2022-06-10

Title

Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting via Import

Fixed in

Fixed in 3.6.10

CVSS

3.4 (low)

Published

2022-03-22

Title

Ninja Forms < 3.6.8-wp - Unauthenticated Email Address Disclosure

Fixed in

Fixed in 3.6.8-wp

CVSS

5.9 (medium)

Published

2021-10-26

Title

Ninja Forms < 3.6.4 - Admin+ SQL Injection

Fixed in

Fixed in 3.6.4

CVSS

6.8 (medium)

Published

2021-09-27

Title

NinjaForms < 3.5.8.2 - Admin+ Stored Cross-Site Scripting

Fixed in

Fixed in 3.5.8.2

CVSS

3.5 (low)

Published

2021-09-22

Title

Ninja Forms < 3.5.8 - Unprotected REST-API to Email Injection

Fixed in

Fixed in 3.5.8

CVSS

6.5 (medium)

Published

2021-09-22

Title

Ninja Forms < 3.5.8 - Unprotected REST-API to Sensitive Information Disclosure

Fixed in

Fixed in 3.5.8

CVSS

6.5 (medium)

Published

2021-06-07

Title

Nina Forms < 3.5.5 - Reflected Cross-Site Scripting

Fixed in

Fixed in 3.5.5

CVSS

6.1 (medium)

Published

2021-02-16

Title

Ninja Forms < 3.4.34 - CSRF to OAuth Service Disconnection

Fixed in

Fixed in 3.4.34

CVSS

6.1 (medium)

Published

2021-02-16

Title

Ninja Forms < 3.4.34 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure

Fixed in

Fixed in 3.4.34

CVSS

9.9 (critical)

Published

2021-02-16

Title

Ninja Forms < 3.4.34 - Administrator Open Redirect

Fixed in

Fixed in 3.4.34

CVSS

4.8 (medium)

Published

2021-02-16

Title

Ninja Forms < 3.4.34.1 - Authenticated OAuth Connection Key Disclosure

Fixed in

Fixed in 3.4.34.1

CVSS

7.7 (high)

Published

2020-09-22

Title

Ninja Forms < 3.4.27.1 - Validation Bypass via Email Field

Fixed in

Fixed in 3.4.27.1

CVSS

5.3 (medium)

Published

2020-09-22

Title

Ninja Forms < 3.4.27.1 - CSRF leading to Arbitrary Plugin Installation

Fixed in

Fixed in 3.4.27.1

CVSS

7.6 (high)

Published

2020-09-20

Title

Ninja Forms < 3.4.28 - Stored Cross-Site Scripting

Fixed in

Fixed in 3.4.28

CVSS

6.1 (medium)

Published

2020-04-29

Title

Ninja Forms < 3.4.24.2 - CSRF to Stored XSS

Fixed in

Fixed in 3.4.24.2

CVSS

8.8 (high)

Published

2020-02-03

Title

Ninja Forms < 3.4.23 - CSRF to Stored Cross-Site Scripting (XSS)

Fixed in

Fixed in 3.4.23

CVSS

5.4 (medium)

Published

2019-01-10

Title

Ninja Forms < 3.3.21.3 - XSS and SQLi

Fixed in

Fixed in 3.3.21.3

CVSS

n/a

Published

2019-01-07

Title

Ninja Forms < 3.3.21.2 - SQL Injection

Fixed in

Fixed in 3.3.21.2

CVSS

9.8 (critical)

Published

2018-12-01

Title

Ninja Forms <= 3.3.19 - Authenticated Open Redirect

Fixed in

Fixed in 3.3.19.1

CVSS

6.1 (medium)

Published

2018-11-14

Title

Ninja Forms <= 3.3.17 - Unauthenticated Cross-Site Scripting (XSS)

Fixed in

Fixed in 3.3.18

CVSS

6.1 (medium)

Published

2018-08-27

Title

Ninja Forms <= 3.3.13 - Cross-Site Scripting (XSS) in Import Function

Fixed in

Fixed in 3.3.14

CVSS

n/a

Published

2018-08-21

Title

Ninja Forms <= 3.3.13 - CSV Injection

Fixed in

Fixed in 3.3.14

CVSS

8.6 (high)

Published

2018-07-06

Title

Ninja Forms < 3.3.9 - Insufficient Restrictions during Export Personal Data requests

Fixed in

Fixed in 3.3.9

CVSS

9.1 (critical)

Published

2018-02-26

Title

Ninja Forms < 3.2.15 - Parameter Tampering

Fixed in

Fixed in 3.2.15

CVSS

7.5 (high)

Published

2018-02-20

Title

Ninja Forms <= 3.2.13 - Cross-Site Scripting (XSS)

Fixed in

Fixed in 3.2.14

CVSS

6.1 (medium)

Published

2017-03-07

Title

Ninja Forms < 3.0.31 - XSS

Fixed in

Fixed in 3.0.31

CVSS

6.1 (medium)

Published

2016-08-16

Title

Ninja Forms <= 2.9.55.1 - Authenticated SQL Injection

Fixed in

Fixed in 2.9.55.2

CVSS

n/a

Published

2016-07-19

Title

Ninja Forms <= 2.9.51 - Multiple Authenticated Cross-Site Scripting (XSS)

Fixed in

Fixed in 2.9.52

CVSS

n/a

Published

2016-05-04

Title

Ninja Forms 2.9.36 to 2.9.42 - Multiple Vulnerabilities

Fixed in

Fixed in 2.9.43

CVSS

9.8 (critical)

Published

2015-09-30

Title

Ninja Forms <= 2.9.27 - Malicious File Export

Fixed in

Fixed in 2.9.28

CVSS

n/a

Published

2015-08-04

Title

Ninja Forms <= 2.9.21 - Authenticated Reflected Cross-Site Scripting (XSS)

Fixed in

Fixed in 2.9.22

CVSS

n/a

Published

2015-06-05

Title

Ninja Forms <= 2.9.18 - Cross-Site Scripting (XSS)

Fixed in

Fixed in 2.9.19

CVSS

n/a

Published

2015-04-20

Title

Ninja Forms <= 2.9.10 - Cross-Site Scripting (XSS)

Fixed in

Fixed in 2.9.11

CVSS

n/a

Published

2015-02-11

Title

Ninja Forms <= 2.8.8 - Stored & Reflected XSS

Fixed in

Fixed in 2.8.9

CVSS

n/a

Published

2014-12-02

Title

Ninja Forms <= 2.8.9 - Unspecified Issue Affecting Admin Users

Fixed in

Fixed in 2.8.10

CVSS

n/a

Published

2014-11-04

Title

Ninja Forms 2.8.6 - Reflected Cross-Site Scripting (XSS)

Fixed in

Fixed in 2.8.7

CVSS

n/a