CVE-2021-24166: CSRF
First published: Mon Apr 05 2021(Updated: )
The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ninja Forms | <3.4.34 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-24166?
CVE-2021-24166 is a vulnerability in the Ninja Forms Contact Form WordPress plugin before version 3.4.34.
How severe is CVE-2021-24166?
CVE-2021-24166 has a severity score of 5.4 (Medium).
What is the affected software?
The affected software is the Ninja Forms Contact Form WordPress plugin version up to and excluding 3.4.34.
What is the impact of CVE-2021-24166?
CVE-2021-24166 allows attackers to craft a request to disconnect a site's OAuth connection.
How can I fix CVE-2021-24166?
To fix CVE-2021-24166, update the Ninja Forms Contact Form WordPress plugin to version 3.4.34 or newer.
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- agent/event
- agent/type
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ninjaforms
- canonical/ninja forms