Exploitation Summary
EIP tracks 1 public exploit for CVE-2018-16308. PoCs published by Mostafa Gharzi.
AI-analyzed exploit summary This exploit demonstrates a CSV injection vulnerability in WordPress Ninja Forms plugin versions 3.3.13 and earlier. The PoC shows how an attacker can inject commands into form fields, which execute when a privileged user exports and opens the CSV file.
Description
The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection.
Exploits (1)
exploitdb
WORKING POC
by Mostafa Gharzi · textwebappsphp
https://www.exploit-db.com/exploits/45234
This exploit demonstrates a CSV injection vulnerability in WordPress Ninja Forms plugin versions 3.3.13 and earlier. The PoC shows how an attacker can inject commands into form fields, which execute when a privileged user exports and opens the CSV file.
Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target:
WordPress Ninja Forms plugin 3.3.13 and before
Auth required
Prerequisites:
Access to submit a form with malicious input · Privileged user to export and open the CSV file
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://wordpress.org/plugins/ninja-forms/#developers
Exploit, Third Party Advisory, VDB Entry exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/45234/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://packetstormsecurity.com/files/148993/WordPress-Ninja-Forms-3.3.13-CSV-Injection.html
Scores
CVSS v3
8.6
EPSS
0.0179
EPSS Percentile
75.5%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-1236
Status
published
Products (1)
ninjaforms/ninja_forms
< 3.3.14.1
Published
Sep 01, 2018
Tracked Since
Feb 18, 2026