Vulnerability to reflected self-based cross-site scripting via the referer header due to insufficient input sanitization and output escaping; an attacker could inject scripts that execute if a user is tricked into acting (for example, clicking a link). exploitation requires a temporary maintenance mode that cannot be enabled by attackers or administrators and is only active during a brief update window, which greatly limits practical impact, and the self-based nature of the issue means attackers must chain additional techniques to run a payload in the targeted user’s context.
This vulnerability affects the following application versions:
- Ninja Forms – The Contact Form Builder 3.4.34.2
- Ninja Forms – The Contact Form Builder 3.4.34.3
- Ninja Forms – The Contact Form Builder 3.5.8.4
- Ninja Forms – The Contact Form Builder 3.5.8.5
- Ninja Forms – The Contact Form Builder 3.6.34
- Ninja Forms – The Contact Form Builder 3.6.34.1
- Ninja Forms – The Contact Form Builder 3.7.3
- Ninja Forms – The Contact Form Builder 3.7.3.1
- Ninja Forms – The Contact Form Builder 3.8.0
- Ninja Forms – The Contact Form Builder 3.8.1
- Ninja Forms – The Contact Form Builder 3.8.2
- Ninja Forms – The Contact Form Builder 3.8.3
- Ninja Forms – The Contact Form Builder 3.8.4
- Ninja Forms – The Contact Form Builder 3.8.5
- Ninja Forms – The Contact Form Builder 3.8.6
- Ninja Forms – The Contact Form Builder 3.8.7
- Ninja Forms – The Contact Form Builder 3.8.8
- Ninja Forms – The Contact Form Builder 3.8.9
- Ninja Forms – The Contact Form Builder 3.8.10
- Ninja Forms – The Contact Form Builder 3.8.11
- Ninja Forms – The Contact Form Builder 3.8.12
- Ninja Forms – The Contact Form Builder 3.8.13
- Ninja Forms – The Contact Form Builder 3.8.14
- Ninja Forms – The Contact Form Builder 3.8.15