WordPress Plugin Vulnerabilities

Ninja Forms <= 3.3.17 - Unauthenticated Cross-Site Scripting (XSS)

Description

According to the changelog:

"Patched a redirect XSS vulnerability using code injection on our submissions page."

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.3.18

References

CVE
CVE-2018-19287
URL
https://plugins.trac.wordpress.org/changeset/1974335/ninja-forms/trunk/includes/Admin/Menus/Submissions.php

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Unkown
Submitter
Ryan Dewhurst
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
fb036dc2-0ee8-4a3e-afac-f52050b3f8c7

Timeline

Publicly Published
2018-11-14 (about 7 years ago)
Added
2018-11-15 (about 7 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2024-03-25
Title
WP User Profile Avatar < 1.0.2 - Contributor+ Stored XSS
Published
2017-03-01
Title
Trust Form < 2.0.1 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2015-04-24
Title
WP Google Map Plugin < 2.3.7 - XSS
Published
2024-12-20
Title
G Web Pro Store Locator <= 2.1 - Reflected Cross-Site Scripting
Published
2025-01-06
Title
WP – Bulk SMS – by SMS.to <= 1.0.12 - Reflected Cross-Site Scripting