CVE-2024-3866
Ninja Forms Contact Form <= 3.8.15 - Reflected Self-Based Cross-Site Scripting via RefererThe Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' header in all versions up to, and including, 3.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Successful exploitation of this vulnerability requires "maintenance mode" for a targeted form to be enabled. However, there is no setting available to the attacker or even an administrator-level user to enable this mode. The mode is only enabled during a required update, which is a very short window of time. Additionally, because of the self-based nature of this vulnerability, attackers would have to rely on additional techniques to execute a supplied payload in the context of targeted user.
We have discovered 58,339 live websites that are affected by CVE-2024-3866.
Affected Software
| Product | |
| Category | Form Builders |
| Vulnerable Domains | 58,339 live websites (40.36% of Ninja Forms install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 255 versions ( 92.39% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Sep 25, 2024
- Updated - Sep 25, 2024
Credits
- wesley (finder)
CWE
CVE References
CWE References
CVE-2024-3866 usage by Country
 United States | 27,227 websites |
 Germany | 6,122 websites |
 France | 3,376 websites |
 GB | 3,141 websites |
 Netherlands | 1,814 websites |
 Australia | 1,313 websites |
 Spain | 1,022 websites |
 Canada | 977 websites |
 Switzerland | 966 websites |
 Italy | 875 websites |
CVE-2024-3866 usage by TLD
| .com | 28,440 websites |
| .org | 3,286 websites |
| .de | 2,902 websites |
| .co.uk | 2,709 websites |
| .nl | 1,922 websites |
| .com.au | 1,682 websites |
| .fr | 1,272 websites |
| .net | 1,255 websites |
| .ca | 978 websites |
| .ch | 814 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-3866
Top websites that are affected by CVE-2024-3866. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.com | United States | *** | |
| ****.ca | United States | *,*** | |
| **********.com | United States | *,*** | |
| ***********.com | United States | *,*** | |
| **********.ro |  Romania | **,*** | |
| ************.com | United States | **,*** | |
| ***.software | Germany | **,*** | |
| *******.**.il |  Israel | **,*** | |
| ********.com | United States | **,*** | |
| *****************.de | Germany | **,*** |
FAQ
CVE-2024-3866 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Ninja Forms
A total of 58,339 websites have been identified as vulnerable to CVE-2024-3866, discovered through global website indexing conducted by WebTechSurvey.
Ninja Forms is susceptible to CVE-2024-3866 vulnerability.
Ninja Forms versions before, and including, 3.8.15 are vulnerable to CVE-2024-3866.