Ninja Forms < 3.6.34 – Admin+ Stored XSS | CVE 2023-5530 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor acknowledged and fixed the issue

Proof of Concept

1.      Install and activate the Ninja Forms WordPress
2.      As an admin with the unfiltered_html capability, create a new form.
3.      In the form settings, add a new text field.
4.      In the field label, enter the following code: <img src=x onerror=alert(1)>, or Name<a href=javascript:alert(/XSS-1/) onfocus=alert(/XSS-2/) autofocus>ClickME, maybe</a>
5.      Save the form.

The XSS will be triggered when viewing the form in the frontend, as well as when editing the form in the backend

Affects Plugins

Fixed in 3.6.34

References

CVE

URL

https://ninjaforms.com/blog/saturday-drive-x-edition/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Jonathan Zamora

Submitter

Jonathan Zamora

Submitter twitter

Jonatha94472792

Verified

Yes

WPVDB ID

a642f313-cc3e-4d75-b207-1dceb6a7fbae

Timeline

Publicly Published

2023-10-16 (about 2 years ago)

Added

2023-10-16 (about 2 years ago)

Last Updated

2023-10-17 (about 2 years ago)

Other

Published

Title

Published

2024-03-13

Title

Elementor Addons by Livemesh < 8.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Animated Text Widget

Published

2015-08-10

Title

WP Statistics <= 9.5.1 - Referer Cross-Site Scripting (XSS)

Published

2024-12-02

Title

Magical Addons For Elementor < 1.3.7 - Contributor+ Stored XSS

Published

2025-02-05

Title

Simple Certain Time to Show Content < 1.3.1 - Reflected XSS

Published

2025-11-10

Title

Paypal Donation Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting