WordPress Plugin Vulnerabilities

Ninja Forms < 3.8.25 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.8.25

References

CVE
CVE-2024-13470
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6f2b46a9-d228-43b4-84af-d56218076087

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Peter Thaleikis
Verified
No
WPVDB ID
3b5ec2fe-1e1a-4e42-8490-9b26dd454c98

Timeline

Publicly Published
2025-01-29 (about 1 year ago)
Added
2025-01-31 (about 1 year ago)
Last Updated
2025-01-31 (about 1 year ago)

Other

Published
Title
Published
2023-08-25
Title
Product page shipping calculator for WooCommerce < 1.3.26 - Admin+ Stored XSS
Published
2025-06-23
Title
Infility Global <= 2.14.52 - Reflected Cross-Site Scripting
Published
2015-04-20
Title
Broken Link Checker <= 1.10.5 - CSRF/XSS
Published
2024-10-09
Title
Elementor Inline SVG <= 1.2.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2018-03-08
Title
Activity Log <= 2.4.0 - Multiple Cross-Site Scripting (XSS)