CVE-2023-5530: Ninja Forms < 3.6.34 - Admin+ Stored XSS
First published: Mon Nov 06 2023(Updated: )
The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor acknowledged and fixed the issue
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ninja Forms | <3.6.34 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Ninja Forms vulnerability?
The vulnerability ID for this Ninja Forms vulnerability is CVE-2023-5530.
What is the severity of CVE-2023-5530?
The severity of CVE-2023-5530 is medium.
What is the affected software for CVE-2023-5530?
The affected software for CVE-2023-5530 is Ninja Forms version up to and exclusive of 3.6.34 in WordPress.
What is the CWE category for CVE-2023-5530?
The CWE category for CVE-2023-5530 is CWE-79.
How can the Ninja Forms Stored XSS vulnerability be exploited?
The Ninja Forms Stored XSS vulnerability can be exploited by high privilege users, such as administrators, with the unfiltered_html capability.
- agent/references
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/title
- agent/weakness
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/ninjaforms
- canonical/ninja forms