Cyber Resilience

CVE-2023-1835

MediumPublic PoC

Published: 15 May 2023

Published
15 May 2023
Modified
14 January 2025
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1400 94.5th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-1835 is a medium-severity an unspecified weakness vulnerability in Ninjaforms Ninja Forms. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Ninja Forms Contact Form WordPress plugin before version 3.6.22 contains a reflected cross-site scripting vulnerability. The root cause is insufficient escaping of user-supplied input before it is rendered in an administrative interface, as described in the CVE record with a CVSS 3.1 score of 6.1.

An unauthenticated remote attacker can exploit the flaw by crafting a malicious link that, when clicked by a high-privilege user such as an administrator, executes arbitrary script in the victim's browser context. The attack requires user interaction and results in limited confidentiality and integrity impacts with changed scope.

EPSS for the vulnerability reached a peak of 0.1809, indicating that exploitation interest emerged after disclosure and that the issue warrants renewed attention.

EU & UK References

Vulnerability details

The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ninjaforms
ninja forms
≤ 3.6.22

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References