Description
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of a templating engine in all versions up to, and including, 3.10.2.1 due to insufficient output escaping on user data passed through the template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch Update
AI Analysis

Impact

The Ninja Forms plugin for WordPress is vulnerable to stored cross‑site scripting caused by a templating engine that fails to escape user‑supplied data. When an authenticated user with contributor or higher privileges injects a script into a template or form, the malicious code is stored and will execute in the browsers of any visitor who loads the affected page. This flaw is identified as CWE‑79 and can lead to session hijacking, defacement, or other client‑side compromise.

Affected Systems

Ninja Forms for WordPress, all releases up to and including 3.10.2.1.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, and the EPSS score of less than 1 percent shows a low but non‑zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated contributor (or higher) with the ability to edit templates or form content; once an attacker injects script, any user who accesses the page will have the code executed. Overall risk is moderate, with a limited attack surface owing to the authentication requirement.

Generated by OpenCVE AI on April 21, 2026 at 19:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ninja Forms to version 3.10.3 or later to receive the output‑escaping fix.
  • Revoke or restrict contributor roles that allow editing of form templates or frontend content, limiting write access to only necessary capabilities.
  • Audit existing forms and template files for any injected scripts and remove malicious content before applying the update.

Generated by OpenCVE AI on April 21, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28541 The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of a templating engine in all versions up to, and including, 3.10.2.1 due to insufficient output escaping on user data passed through the template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 07 Jul 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Ninjaforms
Ninjaforms ninja Forms
CPEs cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:*
Vendors & Products Ninjaforms
Ninjaforms ninja Forms

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of a templating engine in all versions up to, and including, 3.10.2.1 due to insufficient output escaping on user data passed through the template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Ninja Forms <= 3.10.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via CSTI
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ninjaforms Ninja Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:32.419Z

Reserved: 2025-05-30T20:44:25.820Z

Link: CVE-2025-5398

cve-icon Vulnrichment

Updated: 2025-06-27T13:28:43.849Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-27T10:15:26.470

Modified: 2025-07-07T15:31:31.283

Link: CVE-2025-5398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:00:25Z

Weaknesses