CVE-2021-24381: NinjaForms < 3.5.8.2 - Admin+ Stored Cross-Site Scripting
First published: Mon Oct 25 2021(Updated: )
The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ninja Forms | <3.5.8.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this Ninja Forms Contact Form plugin vulnerability?
The vulnerability ID for this Ninja Forms Contact Form plugin vulnerability is CVE-2021-24381.
What is the severity of CVE-2021-24381?
The severity of CVE-2021-24381 is medium with a severity value of 4.8.
How does the Ninja Forms Contact Form plugin vulnerability affect the software?
The vulnerability allows high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
What version of the Ninja Forms Contact Form plugin is affected by CVE-2021-24381?
The Ninja Forms Contact Form plugin before version 3.5.8.2 is affected by CVE-2021-24381.
Is there a fix available for CVE-2021-24381?
Yes, the fix for CVE-2021-24381 is to update the Ninja Forms Contact Form plugin to version 3.5.8.2 or higher.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/title
- agent/author
- agent/severity
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ninjaforms
- canonical/ninja forms