ThreatPress

WordPress Vulnerabilities Database

Back

WordPress Ninja Forms Plugin <= 2.8.8 - Multiple XSS

Product
Ninja Forms
Description
Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML via the "ninja_forms_field_1" parameter in a ninja_forms_ajax_submit action to wp-admin/admin-ajax.php. Also, multiple cross site scripting vulnerabilities allow the administrators to inject arbitrary web script or HTML via the "fields[1]" parameter to wp-admin/post.php.
Solution
Update the plugin.
Classification
Type XSS (Cross Site Scripting)
OWASP Top 10 A3: Cross Site Scripting (XSS)
References
CVE Mitre
CVE
Name CVE-2015-2220
Versions
Affected In <= 2.8.8
Fixed In 2.8.9
Disclosure date
2015-03-05
Credits
Sergio Navarro of Dionach