CVE-2025-2560

Medium CVSS: 4.8

The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Vendor

Ninjaforms

Product

Ninja Forms

CWE

CWE-79

Yayın Tarihi

2025-05-19 06:15:19

Güncelleme

2026-01-09 21:16:12

Source Identifier

contact@wpscan.com

KEV Date Added

Kategoriler

CWE-79 Ninja Forms MEDIUM Ninjaforms 2025

Referanslar

https://wpscan.com/vulnerability/2adaa55a-4a6d-40ca-ae19-fcb82420894a/

Benzer Kayıtlar

Medium

CVE-2025-14072

The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the…

High

CVE-2025-11924

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Obj…

Medium

CVE-2025-10499

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request…

Medium

CVE-2025-10498

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request…

Critical

CVE-2025-9083

The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticate…

Medium

CVE-2025-5398

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site S…