CVE-2021-24889

HIGH

Ninja Forms Contact Form <3.6.4 - SQL Injection

Title source: llm
STIX 2.1

Description

The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/55008a42-eb56-436c-bce0-10ee616d0495

Scores

CVSS v3 7.2
EPSS 0.0127
EPSS Percentile 66.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
ninjaforms/ninja_forms < 3.6.4
Published Nov 29, 2021
Tracked Since Feb 18, 2026