CVE-2025-5398

Medium CVSS: 6.4

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of a templating engine in all versions up to, and including, 3.10.2.1 due to insufficient output escaping on user data passed through the template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendor

Ninjaforms

Product

Ninja Forms

CWE

CWE-79

Yayın Tarihi

2025-06-27 10:15:26

Güncelleme

2025-07-07 15:31:31

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-79 Ninja Forms MEDIUM Ninjaforms 2025

Referanslar

https://plugins.trac.wordpress.org/browser/ninja-forms/tags/3.10.1/assets/js/min/front-end.js https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3317181%40ninja-forms&new=3317181%40ninja-forms&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/92d106c6-a910-4f41-94d1-59f6b7f3aeb0?source=cve

Benzer Kayıtlar

Medium

CVE-2025-14072

The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the…

High

CVE-2025-11924

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Obj…

Medium

CVE-2025-10499

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request…

Medium

CVE-2025-10498

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request…

Critical

CVE-2025-9083

The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticate…

Medium

CVE-2025-2524

The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow hig…