WordPress Plugin Vulnerabilities

Ninja Forms Contact Form < 3.8.1 - Author+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting via an image title embedded into a form due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.8.1

References

CVE
CVE-2024-2108
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6a6eb430-cf86-4e13-a4f7-173fada9fddf

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Tim Coen
Verified
No
WPVDB ID
c89ce032-c361-49e2-8ed0-c806bf399d96

Timeline

Publicly Published
2024-03-28 (about 2 years ago)
Added
2024-03-29 (about 2 years ago)
Last Updated
2024-03-29 (about 2 years ago)

Other

Published
Title
Published
2025-02-27
Title
Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons < 26.0.1 - Unauthenticated Stored Cross-Site Scripting
Published
2025-09-05
Title
Stagtools <= 2.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-03-03
Title
Schedulicity - Easy Online Scheduling <= 2.21 - Contributor+ Stored XSS
Published
2025-02-22
Title
SMTP for SendGrid – YaySMTP < 1.5 - Unauthenticated Stored Cross-Site Scripting via Email Logs
Published
2026-02-18
Title
Easy Author Image <= 1.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Picture URL