Critical 9.8
2025-09-18< 3.11.1
Ninja Forms <= 3.11.0 - Unauthenticated PHP Object Injection
Ninja Forms – The Contact Form Builder That Grows With You
Minimum safe version
3.14.2
Update to 3.14.2 or later to address 103 fixable vulnerabilities
Latest available3.14.4 ✓Affected up to3.8.10 ⚠
N/A
2026-02-09< 3.14.1
Ninja Forms <= 3.14.0 - Unauthenticated Information Disclosure in nf_ajax_submit AJAX Action
N/A
2026-03-27< 3.14.2
Ninja Forms <= 3.14.1 - Authenticated (Contributor+) Sensitive Information Disclosure via Block Editor Token
Medium 5.3
2026-01-02< 3.13.3
CVE-2025-14072
High 7.5
2025-12-17< 3.13.3
CVE-2025-11924
Medium 4.3
2025-09-27< 3.12.1
CVE-2025-10499
Medium 5.4
2025-09-27< 3.12.1
CVE-2025-10498
Medium 6.4
2025-06-27< 3.10.2.2
Ninja Forms <= 3.10.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via CSTI
Medium 4.8
2025-05-19< 3.10.1
Ninja Forms – The Contact Form Builder That Grows With You <= 3.10.0 - Authenticated (Admin+) Stored Cross-Site Scripting
Medium 4.8
2025-05-19< 3.10.1
Ninja Forms – The Contact Form Builder That Grows With You <= 3.10.0 - Authenticated (Admin+) Stored Cross-Site Scripting
Medium 4.8
2025-05-19< 3.10.1
Ninja Forms – The Contact Form Builder That Grows With You <= 3.10.0 - Authenticated (Admin+) Stored Cross-Site Scripting
Medium 6.4
2025-01-30< 3.8.25
CVE-2024-13470
Medium 6.3
2024-12-29< 3.8.23
CVE-2024-12238
High 7.2
2024-12-12< 3.8.20
CVE-2024-11052
Medium 5.9
2024-11-19< 3.8.18
CVE-2024-50515
Medium 5.9
2024-11-19< 3.8.18
CVE-2024-50514
Medium 6.1
2024-09-25< 3.8.16
CVE-2024-3866
N/A
2024-09-03≥ 3.8.6 and ≤ 3.8.10
WordPress Ninja Forms Plugin 3.8.6-3.8.10 is vulnerable to Cross Site Scripting (XSS)
Medium 6.1
2024-09-02< 3.8.11
CVE-2024-7354
Medium 4.8
2024-09-17< 3.8.12
CVE-2024-43999
High 8.8
2024-08-26< 3.8.7
CVE-2024-39628
Critical 9.8
2024-07-09< 3.8.5
CVE-2024-37934
High 8.8
2024-04-11< 3.8.1
CVE-2024-25572
Medium 5.4
2024-04-11< 3.8.1
CVE-2024-26019
Medium 6.1
2024-04-11< 3.8.1
CVE-2024-29220
Medium 4.3
2024-03-29< 3.8.1
CVE-2024-2113
Medium 5.4
2024-03-29< 3.8.1
CVE-2024-2108
Critical 9.8
2024-02-02< 3.7.2
CVE-2024-0685
Medium 4.8
2023-11-07< 3.6.34
WordPress Ninja Forms Plugin < 3.6.34 is vulnerable to Cross Site Scripting (XSS)
Medium 4.8
2023-08-30< 3.6.26
CVE-2023-4109
N/A
< 2.9.11
Ninja Forms <= 2.9.10 - Cross-Site Scripting (XSS)
N/A
< 2.9.19
Ninja Forms <= 2.9.18 - Cross-Site Scripting (XSS)
N/A
< 2.9.22
Ninja Forms <= 2.9.21 - Authenticated Reflected Cross-Site Scripting (XSS)
N/A
< 2.9.28
Ninja Forms <= 2.9.27 - Malicious File Export
N/A
< 2.9.52
Ninja Forms <= 2.9.51 - Multiple Authenticated Cross-Site Scripting (XSS)
N/A
< 2.9.55.2
Ninja Forms <= 2.9.55.1 - Authenticated SQL Injection
N/A
< 3.3.14
Ninja Forms <= 3.3.13 - Cross-Site Scripting (XSS) in Import Function
N/A
< 3.3.21.3
Ninja Forms <= 3.3.21 - XSS and SQLi
N/A
< 3.5.5
Nina Forms < 3.5.5 - Reflected Cross-Site Scripting
N/A
< 3.6.8
Ninja Forms < 3.6.8 - Unauthenticated Email Address Disclosure
N/A
< 3.6.11
Ninja Forms < 3.6.11 - Unauthenticated PHP Object Injection
High 7.6
2024-06-19< 3.6.26
CVE-2023-38393
High 7.6
2024-06-19< 3.6.26
CVE-2023-38386
High 7.1
2023-07-27< 3.6.26
CVE-2023-37979
Medium 5.3
2023-12-07< 3.6.26
CVE-2023-35909
Medium 6.8
2024-04-17< 3.6.25
CVE-2023-36505
Medium 6.1
2023-05-15< 3.6.22
CVE-2023-1835
N/A
2014-11-06< 2.8.7
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 2.8.6 - Reflected Cross-Site Scripting
N/A
2015-04-20< 2.9.11
Ninja Forms <= 2.9.10 - Reflected Cross-Site Scripting
N/A
2015-06-05< 2.9.19
Ninja Forms Contact Form <= 2.9.18 - Cross-Site Scripting
N/A
2015-08-04< 2.9.22
Ninja Forms Contact Form <= 2.9.21 - Reflected Cross-Site Scripting
N/A
2015-09-30< 2.9.28
Ninja Forms Contact Form <= 2.9.27 - CSV Injection
N/A
2015-12-08< 2.9.29
Ninja Forms Contact Form <= 2.9.28 - Stored Cross-Site Scripting
N/A
2016-07-19< 2.9.52
Ninja Forms Contact Form <= 2.9.51 - Multiple Reflected Cross-Site Scripting
N/A
2016-08-16< 2.9.55.2
Ninja Forms Contact Form <= 2.9.55.1 - Authenticated SQL Injection
N/A
2017-04-17< 3.0.32
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.0.31 - Arbitrary Wordpress Shortcode Injection
N/A
2018-08-27< 3.3.14
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.3.13 - Cross-Site Scripting
N/A
2022-03-22< 3.6.8
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.6.7 - Email Address Disclosure
N/A
2022-06-07< 3.6.10
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.6.9 - Cross-Site Request Forgery to Field Import and PHP Object Injection
N/A
2022-06-15< 3.6.11
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.6.10 - Code Injection
High 7.2
2022-09-26< 3.6.13
CVE-2022-2903
N/A
2015-04-20< 2.9.11
WordPress Ninja Forms Plugin <= 2.9.10 - Cross Site Scripting
N/A
2014-09-08< 2.7.8
WordPress Ninja Forms Plugin - Authorization Bypass
Medium 4.8
2022-07-04< 3.6.11
CVE-2021-25066
N/A
2015-06-05< 2.9.19
WordPress Ninja Forms Plugin <= 2.9.18 - Cross Site Scripting
Medium 4.8
2022-06-16< 3.6.10
CVE-2021-36827
N/A
2015-08-04< 2.9.22
WordPress Ninja Forms Plugin <= 2.9.21 - Cross Site Scripting
N/A
2022-06-15≤ 3.6.10
WordPress Ninja Forms plugin <= 3.6.10 - Unauthenticated PHP Object Injection vulnerability
N/A
2015-09-30< 2.9.28
WordPress Ninja Forms Plugin <= 2.9.27 - Malicious File Export
Medium 4.8
2022-07-04< 3.6.10
CVE-2021-25056
N/A
2016-07-19< 2.9.52
WordPress Ninja Forms Plugin <= 2.9.51 - Multiple Cross Site Scripting
N/A
2016-08-16< 2.9.55.2
WordPress Ninja Forms Plugin <= 2.9.55.1 - Authenticated SQL Injection
N/A
2018-08-28< 3.3.14
WordPress Ninja Forms plugin <= 3.3.13 - Cross-Site Scripting (XSS) vulnerability
N/A
2018-08-28< 3.3.14
WordPress Ninja Forms plugin <= 3.3.13 - CSV Injection vulnerability
N/A
2019-06-25< 3.3.21.3
WordPress Ninja Forms plugin <= 3.3.21 - SQL injection (SQLi) vulnerability
N/A
2019-06-25< 3.3.21.3
WordPress Ninja Forms plugin <= 3.3.21 - Cross-Site Scripting (XSS) vulnerability
N/A
2020-09-22< 3.4.27.1
WordPress Ninja Forms plugin <= 3.4.27 - Cross-Site Request Forgery (CSRF) leading to Arbitrary Plugin Installation vulnerability
N/A
2021-02-16< 3.4.34
WordPress Ninja Forms Contact Form plugin <= 3.4.33 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure vulnerability
N/A
2021-02-16< 3.4.34
WordPress Ninja Forms Contact Form plugin <= 3.4.33 - Authenticated OAuth Connection Key Disclosure vulnerability
N/A
2021-02-16< 3.4.34
WordPress Ninja Forms Contact Form plugin <= 3.4.33 - Administrator Open Redirect vulnerability
N/A
2021-02-16< 3.4.34
WordPress Ninja Forms Contact Form plugin <= 3.4.33 - Cross-Site Request Forgery (CSRF) vulnerability
N/A
2022-03-22< 3.6.8
WordPress Ninja Forms plugin <= 3.6.7 - Unauthenticated Email Address Disclosure vulnerability
N/A
2015-03-05< 2.8.9
CVE-2015-2220
N/A
2015-03-05< 2.8.10
CVE-2014-9688
Critical 9.8
2016-05-14≥ 2.9.36 and ≤ 2.9.42
CVE-2016-1209
Medium 6.1
2018-02-22< 3.2.14
WordPress Ninja Forms plugin <=3.2.13 - Cross-Site Scripting (XSS) vulnerability
High 8.6
2018-09-01< 3.3.14
CVE-2018-16308
Medium 6.1
2018-11-15< 3.3.18
CVE-2018-19287
Medium 6.1
2018-12-04< 3.3.19.1
WordPress Ninja Forms plugin <= 3.3.19 - Authenticated Open Redirect vulnerability
Critical 9.8
2019-08-14< 3.3.21.2
CVE-2019-15025
Medium 6.1
2019-08-22< 3.0.31
CVE-2017-18574
High 7.5
2019-08-22< 3.2.15
CVE-2018-20980
Critical 9.1
2019-08-22< 3.3.9
CVE-2018-20981
Medium 5.4
2020-02-14< 3.4.23
CVE-2020-8594
Medium 6.1
2020-04-29< 3.4.24.2
CVE-2020-12462
Medium 5.3
2021-01-06< 3.4.27.1
CVE-2020-36175
Medium 6.5
2021-01-06< 3.4.27.1
CVE-2020-36174
Medium 5.3
2021-01-06< 3.4.28
CVE-2020-36173
Medium 5.4
2021-04-05< 3.4.34
CVE-2021-24166
Medium 4.3
2021-04-05< 3.4.34.1
CVE-2021-24164
High 8.8
2021-04-05< 3.4.34
CVE-2021-24163
Medium 6.1
2021-04-05< 3.4.34
CVE-2021-24165
Medium 4.3
2021-09-22< 3.5.8
CVE-2021-34648
Medium 6.5
2021-09-22< 3.5.8
CVE-2021-34647
Medium 4.8
2021-10-25< 3.6.8
CVE-2021-24381
High 7.2
2021-11-30< 3.6.4
CVE-2021-24889