Ninja Forms
Kevin Stover
Developer
3.13.3
Latest version
600,000
Installations
No date
Last updated
Vulnerability history
0 present
58 fixed
17 Mitigation rules
- Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token vulnerability<= 3.13.24 days ago
- Cross-Site Request Forgery to Limited File Deletion vulnerability<= 3.12.0Sep 26, 2025
- Cross-Site Request Forgery to Plugin Settings Update vulnerability<= 3.12.0Sep 26, 2025
- Unauthenticated PHP Object Injection vulnerability< 3.11.1Sep 9, 2025
- Authenticated (Contributor+) Stored Cross-Site Scripting via CSTI vulnerability<= 3.10.2.1Jun 26, 2025
- Admin+ Stored XSS vulnerability< 3.10.1May 19, 2025
- Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability<= 3.8.24Jan 30, 2025
- Authenticated (Subscriber+) Arbitrary Shortcode Execution vulnerability<= 3.8.22Dec 30, 2024
- Unauthenticated Stored Cross-Site Scripting via Form Calculations vulnerability<= 3.8.19Dec 12, 2024
- Cross Site Scripting (XSS) vulnerability<= 3.8.16Oct 28, 2024
- Cross Site Scripting (XSS) vulnerability<= 3.8.16Oct 28, 2024
- Reflected Self-Based Cross-Site Scripting via Referer vulnerability<= 3.8.15Sep 25, 2024
- Wordpress Ninja Forms plugin 3.8.6 - 3.8.10 - Reflected XSS3.8.6-3.8.10Sep 3, 2024
- Cross Site Scripting (XSS) vulnerability<= 3.8.11Aug 28, 2024
- Cross Site Request Forgery (CSRF) vulnerability<= 3.8.6Jul 24, 2024
- Subscriber+ Arbitrary Shortcode Execution vulnerability<= 3.8.4Jul 4, 2024
- Cross-Site Request Forgery to Publicly Accessible Form Submission Export vulnerability<= 3.8.0Mar 29, 2024
- Authenticated (Author+) Stored Cross-Site Scripting vulnerability<= 3.8.0Mar 29, 2024
- Unauthenticated Second Order SQL Injection vulnerability<= 3.7.1Feb 1, 2024
- Admin+ Stored XSS vulnerability< 3.6.34Nov 7, 2023
- Reflected Cross Site Scripting (XSS) vulnerability<= 3.6.25Jul 25, 2023
- Subscriber+ Broken Access Control vulnerability<= 3.6.25Jul 25, 2023
- Contributor+ Broken Access Control vulnerability<= 3.6.25Jul 25, 2023
- Denial of Service Attack vulnerability<= 3.6.25Jul 7, 2023
- Arbitrary File Deletion vulnerability<= 3.6.24Jun 22, 2023
- Reflected XSS vulnerability< 3.6.22May 2, 2023
- Authenticated PHP Objection Injection vulnerability<= 3.6.12Sep 5, 2022
- Unauthenticated PHP Object Injection vulnerability<= 3.6.10Jun 15, 2022
- Authenticated Stored Cross-Site Scripting (XSS) vulnerability<= 3.6.9Jun 13, 2022
- Authenticated Stored Cross-Site Scripting (XSS) vulnerability<= 3.6.9Jun 10, 2022
- Authenticated Stored Cross-Site Scripting (XSS) vulnerability<= 3.6.9Jun 7, 2022
- Unauthenticated Email Address Disclosure vulnerability<= 3.6.7Mar 22, 2022
- SQL Injection (SQLi) vulnerability<= 3.6.3Oct 26, 2021
- Stored Cross-Site Scripting (XSS) vulnerability<= 3.5.8.1Sep 27, 2021
- Unprotected REST-API to Sensitive Information Disclosure vulnerability<= 3.5.7Sep 22, 2021
- Unprotected REST-API to Email Injection vulnerability<= 3.5.7Sep 22, 2021
- Cross-Site Request Forgery (CSRF) vulnerability<= 3.4.33Feb 16, 2021
- Administrator Open Redirect vulnerability<= 3.4.33Feb 16, 2021
- Authenticated OAuth Connection Key Disclosure vulnerability<= 3.4.33Feb 16, 2021
- Authenticated SendWP Plugin Installation and Client Secret Key Disclosure vulnerability<= 3.4.33Feb 16, 2021
- Cross-Site Request Forgery (CSRF) leading to Arbitrary Plugin Installation vulnerability<= 3.4.27Sep 22, 2020
- Cross-Site Scripting (XSS) vulnerability<= 3.3.21Jun 25, 2019
- SQL injection (SQLi) vulnerability<= 3.3.21Jun 25, 2019
- Authenticated Open Redirect vulnerability<= 3.3.19Dec 4, 2018
- Unauthenticated Cross-Site Scripting (XSS) vulnerability<= 3.3.17Nov 15, 2018
- CSV Injection vulnerability<= 3.3.13Aug 28, 2018
- Cross-Site Scripting (XSS) vulnerability<= 3.3.13Aug 28, 2018
- Cross-Site Scripting (XSS) vulnerability<= 3.2.13Feb 22, 2018
- Authenticated SQL Injection<= 2.9.55.1Aug 16, 2016
- Multiple Cross Site Scripting<= 2.9.51Jul 19, 2016
- PHP Object Injection<= 2.9.42.0Dec 26, 2015
- Malicious File Export<= 2.9.27Sep 30, 2015
- Cross Site Scripting<= 2.9.21Aug 4, 2015
- Cross Site Scripting<= 2.9.18Jun 5, 2015
- Cross Site Scripting<= 2.9.10Apr 20, 2015
- Multiple XSS<= 2.8.8Mar 5, 2015
- Unspecified Vulnerability<= 2.8.9Mar 5, 2015
- Authorization Bypass<= 2.7.7Sep 8, 2014