Product
ninjaforms ninja forms
65 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-14072
CVE-2025-11924
CVE-2025-10499
CVE-2025-10498
CVE-2025-9083
CVE-2025-5398
CVE-2025-2561
CVE-2025-2560
CVE-2025-2524
CVE-2024-13470
CVE-2024-12238
CVE-2024-11052
CVE-2024-50515
CVE-2024-50514
CVE-2024-3866
CVE-2024-43999
CVE-2024-1596
CVE-2024-7354
CVE-2024-39628
CVE-2024-37934
CVE-2023-38393
CVE-2023-38386
CVE-2023-36505
CVE-2024-29220
CVE-2024-26019
CVE-2024-25572
CVE-2024-2113
CVE-2024-2108
CVE-2024-0685
CVE-2023-35909
CVE-2023-5530
CVE-2023-4109
CVE-2023-37979
CVE-2023-1835
CVE-2022-2903
CVE-2021-25066
CVE-2021-25056
CVE-2021-36827
CVE-2022-0889
CVE-2022-0888
CVE-2021-24889
CVE-2021-24381
CVE-2021-34648
CVE-2021-34647
CVE-2021-24166
CVE-2021-24165
CVE-2021-24164
CVE-2021-24163
CVE-2020-36175
CVE-2020-36174
CVE-2020-36173
CVE-2020-12462
CVE-2020-8594
CVE-2018-20981
CVE-2018-20980
CVE-2017-18574
CVE-2019-15025
CVE-2019-10869
CVE-2018-19796
CVE-2018-19287
CVE-2018-16308
CVE-2018-7280
CVE-2016-1209
CVE-2015-2220
CVE-2014-9688
< 3.13.3
The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API
< 3.13.1
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Refere
< 3.12.1
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in
< 3.12.1
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in
< 3.11.1
The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to
< 3.10.2.2
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting v
< 3.10.1
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privileg
< 3.10.1
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privileg
< 3.10.1
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privileg
< 3.8.25
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting v
< 3.8.23
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to arbitrary shortcode execu
< 3.8.20
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting v
<= 3.8.16
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kevin Stover Ninja Forms nin
<= 3.8.16
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kevin Stover Ninja Forms nin
< 3.8.16
The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' hea
< 3.8.12
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saturday Drive Ninja
< 3.3.18
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. RTX fi
>= 3.8.6 and < 3.8.11
The Ninja Forms WordPress plugin before 3.8.11 does not escape an URL before outputting it back in an attribute, leading to a Ref
< 3.8.7
Cross-Site Request Forgery (CSRF) vulnerability in Saturday Drive Ninja Forms allows Cross Site Request Forgery.This issue affects
< 3.8.5
Improper Control of Generation of Code ('Code Injection') vulnerability in Saturday Drive Ninja Forms allows Code Injection.This i
<= 3.6.26
Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25.
< 3.6.26
Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25.
< 3.6.25
Improper Input Validation vulnerability in Saturday Drive Ninja Forms Contact Form.This issue affects Ninja Forms Contact Form : f
< 3.8.1
Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in custom fields for labels. If this vulnerability is exp
< 3.8.1
Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in submit processing. If this vulnerability is exploited,
< 3.4.31
Cross-site request forgery (CSRF) vulnerability exists in Ninja Forms prior to 3.4.31. If a website administrator views a maliciou
< 3.8.1
The Ninja Forms Contact Form - The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Cross-Site Reque
< 3.8.1
The Ninja Forms Contact Form - The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Sit
<= 3.7.1
The Ninja Forms Contact Form - The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Second Order SQL
< 3.6.26
Uncontrolled Resource Consumption vulnerability in Saturday Drive Ninja Forms Contact Form - The Drag and Drop Form Builder for Wo
< 3.6.34
The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high
< 3.6.26
The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulner
< 3.6.26
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions.
< 3.6.22
The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an ad
< 3.6.13
The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP
< 3.6.10
The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privile
< 3.6.10
The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege use
<= 3.6.9
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Saturday Drive's Ninja Forms Contact Form plugin <= 3.6.9 at Wor
<= 3.3.12
The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing sanitizat
<= 3.3.0
The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file t
< 3.6.4
The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST parameter, which could allow hi
< 3.5.8.2
The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field
<= 3.5.7
The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/inc
<= 3.5.7
The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found
< 3.4.34
The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form - The Drag and Drop Form Builder for WordPress plugin
< 3.4.34
In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open re
< 3.4.34.1
In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the a
< 3.4.34
The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any non
< 3.4.27.1
The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field.
< 3.4.27.1
The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration.
< 3.4.28
The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields.
< 3.4.24.2
The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS.
all versions
The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_for
< 3.3.9
The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Persona
< 3.2.15
The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering.
< 3.0.31
The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder.
< 3.3.21.2
The ninja-forms plugin before 3.3.21.2 for WordPress has SQL injection in the search filter on the submissions page.
< 3.0.23
Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on
< 3.3.19.1
An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/St
< 3.3.18
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Men
< 3.3.14.1
The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection.
< 3.2.14
The Ninja Forms plugin before 3.2.14 for WordPress has XSS.
<= 2.9.42
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted s
<= 2.8.8
Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms plugin before 2.8.9 for WordPress allow (1) remote attacker
<= 2.8.9
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors relat