CVE-2024-3866

low-risk

Published 2024-09-25

The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' header in all versions up to, and including, 3.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Successful exploitation of this vulnerability requires "maintenance mode" for a targeted form to be enabled. However, there is no setting available to the attacker or even an administrator-level user to enable this mode. The mode is only enabled during a required update, which is a very short window of time. Additionally, because of the self-based nature of this vulnerability, attackers would have to rely on additional techniques to execute a supplied payload in the context of targeted user.

Do I need to act?

1.3% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.7/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Ninja Forms

Affected Vendors

Ninjaforms

References (2)

Patch https://plugins.trac.wordpress.org/changeset/3153292/ninja-forms

Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/f6d6b82d-574d-4a56-9ae...

/ 100

low-risk

Severity 15/34 · Moderate

Exploitability 4/34 · Minimal

Exposure 5/34 · Minimal