WordPress Plugin Vulnerabilities

Ninja Forms File Uploads Extension < 3.3.13 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin is vulnerable to stored cross-site scripting due to missing sanitization of the files filename parameter found in the ~/includes/ajax/controllers/uploads.php file which can be used by unauthenticated attackers to add malicious web scripts to vulnerable WordPress sites.

Affects Plugins

Plugin icon
ninja-forms-uploads
Fixed in 3.3.13

References

CVE
CVE-2022-0889
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0889

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Nuno Correia (Blaze Security)
Verified
Yes
WPVDB ID
fd00a14b-3016-487d-94a9-27716b925440

Timeline

Publicly Published
2022-03-08 (about 4 years ago)
Added
2022-03-08 (about 4 years ago)
Last Updated
2022-04-12 (about 4 years ago)

Other

Published
Title
Published
2024-08-30
Title
WPZOOM Portfolio Lite – Filterable Portfolio Plugin < 1.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute
Published
2024-11-04
Title
FriendStore for WooCommerce <= 1.4.2 - Reflected Cross-Site Scripting
Published
2024-12-02
Title
My auctions allegro < 3.6.18 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
Responsive Logo Slideshow - URL & Image Field XSS
Published
2023-01-16
Title
PDF Generator for WordPress < 1.1.2 - Reflected XSS