Lucene search
WpvulndbWPVDB-ID:795ACAB2-F621-4662-834B-EBB6205EF7DEHistoryJun 13, 2022 - 12:00 a.m.
Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting
2022-06-1300:00:00
wpscan.com
18
ninja forms
vulnerability
cross-site scripting
high privilege users
EPSS
0.001
Percentile
24.8%
The plugin does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PoC
As admin, put the following payload in a field label: The XSS will be triggered when editing the form, as well as in post/page where the form is embed
Related
cnvd
cnvd
WordPress Ninja Forms Contact Form pluginθ·¨η«θζ¬ζΌζ΄
2022-07-06 00:00:00
prion
prion
Cross site scripting
2022-07-04 13:15:00
wpexploit
wpexploit
Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting
2022-06-13 00:00:00
patchstack
patchstack
cvelist
cvelist
CVE-2021-25056 Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting
2022-07-04 13:05:21
cve
cve
CVE-2021-25056
2022-07-04 13:15:08
nvd
nvd
CVE-2021-25056
2022-07-04 13:15:08
openvas
openvas
WordPress Ninja Forms Contact Form Plugin < 3.6.10 Multiple Vulnerabilities
2022-07-05 00:00:00