WordPress Plugin Vulnerabilities

Ninja Forms < 3.4.27.1 - CSRF leading to Arbitrary Plugin Installation

Description

The plugin is affected by a Cross-Site Request Forgery (CSRF) which could allow attackers to make a logged administrator install an arbitrary plugin from the WordPress repository.

Proof of Concept

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.4.27.1

References

CVE
CVE-2020-36174
URL
https://wpdeeply.com/ninja-forms-before-3-4-27-1-simple-csrf-to-rce/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.6 (high)

Miscellaneous

Original Researcher
Slavco Mihajloski
Verified
Yes
WPVDB ID
eb25a43e-0db9-4aa5-aad9-319a7b620da4

Timeline

Publicly Published
2020-09-22 (about 5 years ago)
Added
2020-10-08 (about 5 years ago)
Last Updated
2021-01-09 (about 5 years ago)

Other

Published
Title
Published
2025-01-16
Title
Anonymize Links <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-02-09
Title
ImageMagick Engine < 1.7.6 - PHAR Deserialization via CSRF
Published
2024-12-16
Title
Stop Registration Spam < 1.24 - Cross-Site Request Forgery to Cross-Site Scripting
Published
2023-06-27
Title
WP Abstracts < 2.6.3 - Cross-Site Request Forgery
Published
2026-01-06
Title
Latest Tabs <= 1.5 - Cross-Site Request Forgery to Plugin's Settings Update