Ninjaforms Ninja Forms — known CVE vulnerabilities
Every CVE whose affected-product data names Ninjaforms Ninja Forms, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (57)
CVE-2025-9083 — CVSS 9.8 (critical): The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform…
CVE-2016-1209 — CVSS 9.8 (critical): The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized…
CVE-2018-20981 — CVSS 9.1 (critical): The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data…
CVE-2024-25572 — CVSS 8.8 (high): Cross-site request forgery (CSRF) vulnerability exists in Ninja Forms prior to 3.4.31. If a website administrator views a malicious page…
CVE-2021-24163 — CVSS 8.8 (high): The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce…
CVE-2025-11924 — CVSS 7.5 (high): The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in…
CVE-2014-9688 — CVSS 7.5 (high): Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to…
CVE-2022-2903 — CVSS 7.2 (high): The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object…
CVE-2021-24889 — CVSS 7.2 (high): The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST parameter, which could allow high…
CVE-2024-11052 — CVSS 7.2 (high): The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the…
CVE-2023-37979 — CVSS 7.1 (high): Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions.
CVE-2023-36505 — CVSS 6.8 (medium): Improper Input Validation vulnerability in Saturday Drive Ninja Forms Contact Form.This issue affects Ninja Forms Contact Form : from n/a…
CVE-2021-34647 — CVSS 6.5 (medium): The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the…
CVE-2025-5398 — CVSS 6.4 (medium): The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the…
CVE-2024-13470 — CVSS 6.4 (medium): The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the…
CVE-2021-34648 — CVSS 6.4 (medium): The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the…
CVE-2024-12238 — CVSS 6.3 (medium): The The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to arbitrary shortcode execution in…
CVE-2023-1835 — CVSS 6.1 (medium): The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page…
CVE-2018-19796 — CVSS 6.1 (medium): An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the…
CVE-2024-29220 — CVSS 6.1 (medium): Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in custom fields for labels. If this vulnerability is exploited…
CVE-2021-24165 — CVSS 6.1 (medium): In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect…
CVE-2024-7354 — CVSS 6.1 (medium): The Ninja Forms WordPress plugin before 3.8.11 does not escape an URL before outputting it back in an attribute, leading to a Reflected…
CVE-2024-50515 — CVSS 5.9 (medium): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kevin Stover Ninja Forms ninja-forms…
CVE-2024-50514 — CVSS 5.9 (medium): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kevin Stover Ninja Forms ninja-forms…
CVE-2024-0685 — CVSS 5.9 (medium): The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Second Order SQL…
CVE-2024-43999 — CVSS 5.9 (medium): Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saturday Drive Ninja Forms…
CVE-2020-8594 — CVSS 5.4 (medium): The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key]…
CVE-2021-24166 — CVSS 5.4 (medium): The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before…
CVE-2024-26019 — CVSS 5.4 (medium): Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in submit processing. If this vulnerability is exploited, an…
CVE-2024-39628 — CVSS 5.4 (medium): Cross-Site Request Forgery (CSRF) vulnerability in Saturday Drive Ninja Forms allows Cross Site Request Forgery.This issue affects Ninja…
CVE-2024-37934 — CVSS 5.4 (medium): Improper Control of Generation of Code ('Code Injection') vulnerability in Saturday Drive Ninja Forms allows Code Injection.This issue…
CVE-2025-14072 — CVSS 5.3 (medium): The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can…
CVE-2023-35909 — CVSS 5.3 (medium): Uncontrolled Resource Consumption vulnerability in Saturday Drive Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress…
CVE-2020-36175 — CVSS 5.3 (medium): The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field.
CVE-2025-2524 — CVSS 4.8 (medium): The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users…
CVE-2021-25066 — CVSS 4.8 (medium): The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users…
CVE-2025-2561 — CVSS 4.8 (medium): The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users…
CVE-2025-2560 — CVSS 4.8 (medium): The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users…
CVE-2023-5530 — CVSS 4.8 (medium): The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege…
CVE-2021-25056 — CVSS 4.8 (medium): The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to…
CVE-2021-36827 — CVSS 4.8 (medium): Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Saturday Drive's Ninja Forms Contact Form plugin <= 3.6.9 at WordPress…
CVE-2024-3866 — CVSS 4.7 (medium): The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' header in…
CVE-2024-2108 — CVSS 4.6 (medium): The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site…
CVE-2015-2220 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms plugin before 2.8.9 for WordPress allow (1) remote attackers to…
CVE-2021-24164 — CVSS 4.3 (medium): In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action…
CVE-2024-2113 — CVSS 4.3 (medium): The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Cross-Site Request…
CVE-2025-10498 — CVSS 4.3 (medium): The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in…
CVE-2025-10499 — CVSS 4.3 (medium): The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in all…