CVE-2023-1835: Ninja Forms < 3.6.22 - Reflected XSS
First published: Mon May 15 2023(Updated: )
The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Credit: contact@wpscan.com contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ninja Forms | <3.6.22 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2023-1835.
What is the severity level of CVE-2023-1835?
The severity level of CVE-2023-1835 is medium with a CVSS score of 6.1.
What is the affected software?
The affected software is Ninja Forms Contact Form WordPress plugin version up to and including 3.6.22.
What is the potential impact of this vulnerability?
The potential impact of this vulnerability is a Reflected Cross-Site Scripting (XSS) which could be used against high privilege users such as admin.
How can I fix CVE-2023-1835?
To fix CVE-2023-1835, upgrade to the latest version of the Ninja Forms Contact Form WordPress plugin (version 3.6.23 or higher) which contains a patch for this issue.
- agent/type
- agent/weakness
- agent/references
- agent/title
- agent/severity
- agent/first-publish-date
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/tags
- agent/source
- vendor/ninjaforms
- canonical/ninja forms