Ninja Forms < 3.8.5 – Authenticated (Subscriber+) Arbitrary Shortcode Execution | CVE 2024-37934 | Plugin Vulnerabilities

Description

The The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute arbitrary shortcodes.

Affects Plugins

Fixed in 3.8.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c4dc736a-6c34-489f-a73a-c7030c60b97f

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

4438e827-cd52-4084-8a20-4547d03065b3

Timeline

Publicly Published

2024-07-04 (about 1 year ago)

Added

2024-07-10 (about 1 year ago)

Last Updated

2024-07-10 (about 1 year ago)

Other

Published

Title

Published

2023-08-29

Title

Site Reviews < 6.10.3 - Missing Authorization

Published

2025-09-03

Title

MasterStudy LMS < 3.6.16 - Missing Authorization

Published

2022-11-08

Title

Blog2Social < 6.9.12 - Subscriber+ Settings Update

Published

2023-06-26

Title

WooCommerce Stripe Payment Gateway < 7.4.1 - Subscriber+ Order Intent Update

Published

2026-01-19

Title

Points and Rewards for WooCommerce < 2.9.6 - Missing Authorization