Vulnerability Description
The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Second Order SQL Injection via the email address value submitted through forms in all versions up to, and including, 3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to inject SQL in their email address that will append additional into the already existing query when an administrator triggers a personal data export.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ninjaforms | Ninja Forms | <= 3.7.1 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/3028929/ninja-forms/trunk/includes/Patch
- https://sec.stealthcopter.com/ninja-contact-forms/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3cb73d5d-ca4a-4103-866Third Party Advisory
- https://plugins.trac.wordpress.org/changeset/3028929/ninja-forms/trunk/includes/Patch
- https://sec.stealthcopter.com/ninja-contact-forms/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3cb73d5d-ca4a-4103-866Third Party Advisory
FAQ
What is CVE-2024-0685?
CVE-2024-0685 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Second Order SQL Injection via the email address value submitted through forms in all ...
How severe is CVE-2024-0685?
CVE-2024-0685 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-0685?
Check the references section above for vendor advisories and patch information. Affected products include: Ninjaforms Ninja Forms.