WordPress Plugin Vulnerabilities

Ninja Forms < 3.4.28 - Stored Cross-Site Scripting

Description

The plugin did not escape HTML content of fields in the submissions table, which could lead to Cross-Site Scripting issues

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.4.28

References

CVE
CVE-2020-36173
URL
https://plugins.trac.wordpress.org/changeset/2384540/ninja-forms/tags/3.4.28/includes/Database/Models/Submission.php

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Verified
No
WPVDB ID
4b4e5cf0-1c18-450b-b36d-848f8b958e34

Timeline

Publicly Published
2020-09-20 (about 5 years ago)
Added
2021-01-06 (about 5 years ago)
Last Updated
2021-01-09 (about 5 years ago)

Other

Published
Title
Published
2022-08-11
Title
Uploading SVG, WEBP and ICO files <= 1.2.1 - Author+ Stored Cross-Site Scripting
Published
2025-12-17
Title
ModelTheme Addons for WPBakery and Elementor < 1.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-05
Title
Parallax Scrolling Enllax.js <= 0.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-07-18
Title
DW Promobar <= 1.0.4 - Admin+ Stored Cross-Site Scripting
Published
2025-07-21
Title
Shortcodes Ultimate < 7.4.3 - Author+ Stored XSS via Image Title and Slide Link