Ninja Forms < 3.6.10 – Admin+ Stored Cross-Site Scripting | CVE 2021-25056 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

As admin, put the following payload in a field label: <img src=x onerror=alert(/XSS/)>

The XSS will be triggered when editing the form, as well as in post/page where the form is embed

Affects Plugins

Fixed in 3.6.10

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Muhammad Adel

Submitter website

https://itsfading.github.io/

Submitter twitter

Verified

Yes

WPVDB ID

795acab2-f621-4662-834b-ebb6205ef7de

Timeline

Publicly Published

2022-06-13 (about 1 years ago)

Added

2022-06-13 (about 1 years ago)

Last Updated

2023-03-13 (about 1 years ago)

Other

Published

Title

Published

2021-09-08

Title

Twitter Friends Widget <= 3.1 - Reflected Cross-Site Scripting

Published

2024-03-13

Title

Elementor Addons by Livemesh < 8.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Multislider Widget

Published

2014-08-01

Title

Car Demon 1.0.1 - /wp-admin/post.php Multiple Parameter XSS

Published

2022-12-29

Title

Passster < 3.5.5.8 - Contributor+ Stored Cross-Site Scripting

Published

2024-04-04

Title

Squelch Tabs and Accordions Shortcodes < 0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via accordions Shortcode