Vulnerability Description
The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ninjaforms | Ninja Forms | < 3.4.34 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/b531fb65-a8ff-4150-a9a1-2a62a3c00bd6ExploitThird Party Advisory
- https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vuThird Party Advisory
- https://wpscan.com/vulnerability/b531fb65-a8ff-4150-a9a1-2a62a3c00bd6ExploitThird Party Advisory
- https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vuThird Party Advisory
FAQ
What is CVE-2021-24166?
CVE-2021-24166 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers...
How severe is CVE-2021-24166?
CVE-2021-24166 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24166?
Check the references section above for vendor advisories and patch information. Affected products include: Ninjaforms Ninja Forms.