.. / CVE-2023-37979

Exploit for Ninja Forms < 3.6.26 - Cross-Site Scripting (CVE-2023-37979)

Description:

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Nuclei Template

View the template here CVE-2023-37979.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2023/CVE-2023-37979.yaml
Copy

References:

https://patchstack.com/articles/multiple-high-severity-vulnerabilities-in-ninja-forms-plugin?_s_id=cve
https://packetstormsecurity.com/files/173983/WordPress-Ninja-Forms-3.6.25-Cross-Site-Scripting.html
https://nvd.nist.gov/vuln/detail/CVE-2023-37979
https://wpscan.com/vulnerability/3c7c65e9-c4fd-4d98-ae16-77abffbf7348
http://packetstormsecurity.com/files/173983/WordPress-Ninja-Forms-3.6.25-Cross-Site-Scripting.html