WordPress Plugin Vulnerabilities

Ninja Forms < 3.4.24.2 - CSRF to Stored XSS

Description

Ramuel Gall of Wordfence discovered a Cross-Site Request Forgery(CSRF) plugin vulnerability within the Ninja Forms WordPress plugin. By exploiting the CSRF vulnerability, an attacker could inject arbitrary malicious JavaScript via the import contact feature.

This vulnerability was reportedly fixed in version 3.4.24.2.

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.4.24.2

References

CVE
CVE-2020-12462
URL
https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-patched-in-ninja-forms/
URL
https://plugins.trac.wordpress.org/changeset/2293836/ninja-forms

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Ramuel Gall (Wordfence)
Verified
Yes
WPVDB ID
3d15050c-cd43-4fe0-bf89-4ccfc170d23a

Timeline

Publicly Published
2020-04-29 (about 6 years ago)
Added
2020-04-29 (about 6 years ago)
Last Updated
2020-05-05 (about 6 years ago)

Other

Published
Title
Published
2024-01-11
Title
ARMember < 4.0.23 - Cross-Site Request Forgery
Published
2023-01-19
Title
Nice PayPal Button Lite <= 1.3.5 - CSRF
Published
2022-11-14
Title
Feed Them Social < 3.0.1 - Settings Update via CSRF
Published
2014-08-01
Title
Google Analytics MU 2.3 - google-analytics-mu-network.php Analytics Code Manipulation CSRF
Published
2014-08-01
Title
Amplus - CSRF