CVE-2021-24381

The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Published: Oct 25, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-24381
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.8
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
ninjaforms / contact_form	-	3.5.8.2

https://wpscan.com/vulnerability/e383fae6-e0da-4aba-bb62-adf51c01bf8d

Vulnerability Database

289,697

CVE-2021-24381