CVE-2023-1835
Published: 15 May 2023
Summary
CVE-2023-1835 is a medium-severity an unspecified weakness vulnerability in Ninjaforms Ninja Forms. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Ninja Forms Contact Form WordPress plugin before version 3.6.22 contains a reflected cross-site scripting vulnerability. The root cause is insufficient escaping of user-supplied input before it is rendered in an administrative interface, as described in the CVE record with a CVSS 3.1 score of 6.1.
An unauthenticated remote attacker can exploit the flaw by crafting a malicious link that, when clicked by a high-privilege user such as an administrator, executes arbitrary script in the victim's browser context. The attack requires user interaction and results in limited confidentiality and integrity impacts with changed scope.
EPSS for the vulnerability reached a peak of 0.1809, indicating that exploitation interest emerged after disclosure and that the issue warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-24037
Vulnerability details
The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.