← volver
CVE-2021-24164

Ninja Forms < 3.4.34.1 - Authenticated OAuth Connection Key Disclosure

EPSS 0.9%CWE-200
In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to establish a connection. They could also retrieve the client_id for an already established OAuth connection.
Productos afectados
Unknown · Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://wpscan.com/vulnerability/dfa32afa-c6de-4237-a9f2-709843dcda89https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/