CVE-2024-3866
Ninja Forms Contact Form <= 3.8.15 - Reflected Self-Based Cross-Site Scripting via RefererThe Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' header in all versions up to, and including, 3.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Successful exploitation of this vulnerability requires "maintenance mode" for a targeted form to be enabled. However, there is no setting available to the attacker or even an administrator-level user to enable this mode. The mode is only enabled during a required update, which is a very short window of time. Additionally, because of the self-based nature of this vulnerability, attackers would have to rely on additional techniques to execute a supplied payload in the context of targeted user.
We have discovered 35,460 live websites that are affected by CVE-2024-3866.
Affected Software
| Product | |
| Category | Form Builders |
| Vulnerable Domains | 35,460 live websites (27% of Ninja Forms install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 195 versions ( 84% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Sep 25, 2024
- Updated - Sep 25, 2024
Credits
- wesley (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-3866 United States | 13,865 websites |
 Germany | 3,287 websites |
 GB | 2,381 websites |
 France | 2,078 websites |
 Italy | 1,166 websites |
 Netherlands | 1,161 websites |
 Australia | 998 websites |
 Canada | 896 websites |
 Spain | 798 websites |
 Poland | 504 websites |
Website Distribution by TLD
Number of websites using CVE-2024-3866| .com | 16,777 websites |
| .org | 1,931 websites |
| .de | 1,741 websites |
| .co.uk | 1,659 websites |
| .nl | 1,076 websites |
| .fr | 976 websites |
| .com.au | 904 websites |
| .net | 803 websites |
| .it | 790 websites |
| .ca | 510 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-3866
Top websites that are affected by CVE-2024-3866. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.com | United States | *,*** | |
| ************.com | United States | **,*** | |
| **************.com | United States | **,*** | |
| **************.com | United States | **,*** | |
| *******.**.il |  Israel | **,*** | |
| *****************.fr | France | **,*** | |
| ************.org | United States | **,*** | |
| ***************.it | Italy | **,*** | |
| ***********.com | Canada | **,*** | |
| ********.es | United States | **,*** |
FAQ
CVE-2024-3866 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Ninja Forms
A total of 35,460 websites have been identified as vulnerable to CVE-2024-3866, based on global website indexing conducted by WebTechSurvey.
The Ninja Forms is affected by the CVE-2024-3866 vulnerability.
Ninja Forms versions up to and including 3.8.15 are vulnerable to CVE-2024-3866.