The plugin fails to properly validate user-supplied input before passing it to the do_shortcode function in the form preview functionality. This could allow attackers to execute unintended shortcodes, potentially leading to information disclosure, privilege escalation.
This vulnerability affects the following application versions:
- Ninja Forms – The Contact Form Builder 3.8.5
- Ninja Forms – The Contact Form Builder 3.8.6
- Ninja Forms – The Contact Form Builder 3.8.7
- Ninja Forms – The Contact Form Builder 3.8.8
- Ninja Forms – The Contact Form Builder 3.8.9
- Ninja Forms – The Contact Form Builder 3.8.10
- Ninja Forms – The Contact Form Builder 3.8.11
- Ninja Forms – The Contact Form Builder 3.8.12
- Ninja Forms – The Contact Form Builder 3.8.13
- Ninja Forms – The Contact Form Builder 3.8.14
- Ninja Forms – The Contact Form Builder 3.8.15
- Ninja Forms – The Contact Form Builder 3.8.16
- Ninja Forms – The Contact Form Builder 3.8.17
- Ninja Forms – The Contact Form Builder 3.8.18
- Ninja Forms – The Contact Form Builder 3.8.19
- Ninja Forms – The Contact Form Builder 3.8.20
- Ninja Forms – The Contact Form Builder 3.8.21
- Ninja Forms – The Contact Form Builder 3.8.22