Ninja Forms
Kevin Stover
Developer
3.14.2
Latest version
600,000
Installations
No date
Last updated
Vulnerability history
0 present
62 patched
18 Mitigation rules
- Authenticated (Contributor+) Sensitive Information Disclosure via Block Editor Token vulnerability<= 3.14.14 days ago
- Unauthenticated Information Disclosure in nf_ajax_submit AJAX Action vulnerability<= 3.14.010/02/2026
- Admin+ Stored XSS vulnerability< 3.10.131/12/2025
- Admin+ Stored XSS vulnerability< 3.10.131/12/2025
- Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token vulnerability<= 3.13.217/12/2025
- Cross-Site Request Forgery to Limited File Deletion vulnerability<= 3.12.026/09/2025
- Cross-Site Request Forgery to Plugin Settings Update vulnerability<= 3.12.026/09/2025
- Unauthenticated PHP Object Injection vulnerability< 3.11.109/09/2025
- Authenticated (Contributor+) Stored Cross-Site Scripting via CSTI vulnerability<= 3.10.2.126/06/2025
- Admin+ Stored XSS vulnerability< 3.10.119/05/2025
- Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability<= 3.8.2430/01/2025
- Authenticated (Subscriber+) Arbitrary Shortcode Execution vulnerability<= 3.8.2230/12/2024
- Unauthenticated Stored Cross-Site Scripting via Form Calculations vulnerability<= 3.8.1912/12/2024
- Cross Site Scripting (XSS) vulnerability<= 3.8.1628/10/2024
- Cross Site Scripting (XSS) vulnerability<= 3.8.1628/10/2024
- Reflected Self-Based Cross-Site Scripting via Referer vulnerability<= 3.8.1525/09/2024
- Wordpress Ninja Forms plugin 3.8.6 - 3.8.10 - Reflected XSS3.8.6-3.8.1003/09/2024
- Cross Site Scripting (XSS) vulnerability<= 3.8.1128/08/2024
- Cross Site Request Forgery (CSRF) vulnerability<= 3.8.624/07/2024
- Subscriber+ Arbitrary Shortcode Execution vulnerability<= 3.8.404/07/2024
- Cross-Site Request Forgery to Publicly Accessible Form Submission Export vulnerability<= 3.8.029/03/2024
- Authenticated (Author+) Stored Cross-Site Scripting vulnerability<= 3.8.029/03/2024
- Unauthenticated Second Order SQL Injection vulnerability<= 3.7.101/02/2024
- Admin+ Stored XSS vulnerability< 3.6.3407/11/2023
- Reflected Cross Site Scripting (XSS) vulnerability<= 3.6.2525/07/2023
- Subscriber+ Broken Access Control vulnerability<= 3.6.2525/07/2023
- Contributor+ Broken Access Control vulnerability<= 3.6.2525/07/2023
- Denial of Service Attack vulnerability<= 3.6.2507/07/2023
- Arbitrary File Deletion vulnerability<= 3.6.2422/06/2023
- Reflected XSS vulnerability< 3.6.2202/05/2023
- Authenticated PHP Objection Injection vulnerability<= 3.6.1205/09/2022
- Unauthenticated PHP Object Injection vulnerability<= 3.6.1015/06/2022
- Authenticated Stored Cross-Site Scripting (XSS) vulnerability<= 3.6.913/06/2022
- Authenticated Stored Cross-Site Scripting (XSS) vulnerability<= 3.6.910/06/2022
- Authenticated Stored Cross-Site Scripting (XSS) vulnerability<= 3.6.907/06/2022
- Unauthenticated Email Address Disclosure vulnerability<= 3.6.722/03/2022
- SQL Injection (SQLi) vulnerability<= 3.6.326/10/2021
- Stored Cross-Site Scripting (XSS) vulnerability<= 3.5.8.127/09/2021
- Unprotected REST-API to Sensitive Information Disclosure vulnerability<= 3.5.722/09/2021
- Unprotected REST-API to Email Injection vulnerability<= 3.5.722/09/2021
- Cross-Site Request Forgery (CSRF) vulnerability<= 3.4.3316/02/2021
- Administrator Open Redirect vulnerability<= 3.4.3316/02/2021
- Authenticated OAuth Connection Key Disclosure vulnerability<= 3.4.3316/02/2021
- Authenticated SendWP Plugin Installation and Client Secret Key Disclosure vulnerability<= 3.4.3316/02/2021
- Cross-Site Request Forgery (CSRF) leading to Arbitrary Plugin Installation vulnerability<= 3.4.2722/09/2020
- Cross-Site Scripting (XSS) vulnerability<= 3.3.2125/06/2019
- SQL injection (SQLi) vulnerability<= 3.3.2125/06/2019
- Authenticated Open Redirect vulnerability<= 3.3.1904/12/2018
- Unauthenticated Cross-Site Scripting (XSS) vulnerability<= 3.3.1715/11/2018
- CSV Injection vulnerability<= 3.3.1328/08/2018
- Cross-Site Scripting (XSS) vulnerability<= 3.3.1328/08/2018
- Cross-Site Scripting (XSS) vulnerability<= 3.2.1322/02/2018
- Authenticated SQL Injection<= 2.9.55.116/08/2016
- Multiple Cross Site Scripting<= 2.9.5119/07/2016
- PHP Object Injection<= 2.9.42.026/12/2015
- Malicious File Export<= 2.9.2730/09/2015
- Cross Site Scripting<= 2.9.2104/08/2015
- Cross Site Scripting<= 2.9.1805/06/2015
- Cross Site Scripting<= 2.9.1020/04/2015
- Multiple XSS<= 2.8.805/03/2015
- Unspecified Vulnerability<= 2.8.905/03/2015
- Authorization Bypass<= 2.7.708/09/2014