Description

WordPress Plugin Ninja Forms Contact Form-The Drag and Drop Form Builder for WordPress is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently preview un-published forms by injecting arbitrary shortcodes. WordPress Plugin Ninja Forms Contact Form-The Drag and Drop Form Builder for WordPress version 3.0.30 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 3.0.31 or latest

References

http://www.pritect.net/blog/ninjaforms-3-0-32-allows-injecting-arbitrary-wordpress-shortcodes

https://wordpress.org/plugins/ninja-forms/#changelog

Related Vulnerabilities

PHP unspecified remote arbitrary file upload vulnerability

WordPress Plugin Import Export WordPress Users CSV Injection (1.3.1)

WordPress Plugin RokStories Multiple Vulnerabilities (1.25)

WordPress Plugin Manual Image Crop Cross-Site Scripting (1.10)

WordPress Multiple Vulnerabilities (0.70 - 3.6.1)

Severity

High

Classification

CWE-264 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Authentication Bypass