Ninja Forms 3.8.6-3.8.10 – Reflected XSS | CVE 2024-7354 | Plugin Vulnerabilities

Description

The plugin does not escape an URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

When the Survey promo notice hasn't been dismissed, make a logged in admin open https://example.com/wp-admin/admin.php?page=nf-submissions&"><script>alert(`XSS`)</script>=2

Affects Plugins

Fixed in 3.8.11

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Submitter

Erwan LR (WPScan)

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

3c871dcd-51d7-4d3b-b036-efa9e066ff41

Timeline

Publicly Published

2024-08-12 (about 1 year ago)

Added

2024-08-12 (about 1 year ago)

Last Updated

2024-08-12 (about 1 year ago)

Other

Published

Title

Published

2014-09-20

Title

ActiveHelper LiveHelp Server 3.1.0 - server/offline.php Multiple Parameter XSS

Published

2024-03-25

Title

Church Admin < 4.1.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via meta-text

Published

2023-11-08

Title

Post Pay Counter < 2.790 - Reflected XSS

Published

2025-01-08

Title

SimplyRETS Real Estate IDX < 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-11-07

Title

Restrict Categories <= 2.6.4 - Reflected XSS