An administrator-level user can inject HTML or JavaScript into a Ninja Forms field label; the payload is stored and executes when other administrators view the form settings panel. Affects Ninja Forms versions up to 3.8.16, fixed in 3.8.18.

This vulnerability affects the following application versions:

  • Ninja Forms – The Contact Form Builder 3.6.34
  • Ninja Forms – The Contact Form Builder 3.6.34.1
  • Ninja Forms – The Contact Form Builder 3.7.3
  • Ninja Forms – The Contact Form Builder 3.7.3.1
  • Ninja Forms – The Contact Form Builder 3.8.0
  • Ninja Forms – The Contact Form Builder 3.8.1
  • Ninja Forms – The Contact Form Builder 3.8.2
  • Ninja Forms – The Contact Form Builder 3.8.3
  • Ninja Forms – The Contact Form Builder 3.8.4
  • Ninja Forms – The Contact Form Builder 3.8.5
  • Ninja Forms – The Contact Form Builder 3.8.6
  • Ninja Forms – The Contact Form Builder 3.8.7
  • Ninja Forms – The Contact Form Builder 3.8.8
  • Ninja Forms – The Contact Form Builder 3.8.9
  • Ninja Forms – The Contact Form Builder 3.8.10
  • Ninja Forms – The Contact Form Builder 3.8.11
  • Ninja Forms – The Contact Form Builder 3.8.12
  • Ninja Forms – The Contact Form Builder 3.8.13
  • Ninja Forms – The Contact Form Builder 3.8.14
  • Ninja Forms – The Contact Form Builder 3.8.15
  • Ninja Forms – The Contact Form Builder 3.8.16
  • Ninja Forms – The Contact Form Builder 3.8.17

Skriv et svar

Din e-mailadresse vil ikke blive publiceret. Krævede felter er markeret med *