CVE-2019-10869

HIGH

Ninjaforms Ninja Forms File Uploads < 3.0.23 - Path Traversal

Title source: rule

Description

Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) name and tmp_name parameters.

Exploits (1)

nomisec WORKING POC 17 stars

by KTN1990 · poc

https://github.com/KTN1990/CVE-2019-10869

View Code ZIP pw:eip

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://www.onvio.nl/nieuws/ninjaforms-vulnerability

Third Party Advisory x_refsource_misc

https://wpvulndb.com/vulnerabilities/9272

Scores

CVSS v3 8.1

EPSS 0.4800

EPSS Percentile 97.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22 CWE-434

Status published

Products (1)

ninjaforms/ninja_forms_file_uploads < 3.0.23

Published May 07, 2019

Tracked Since Feb 18, 2026