CVE-2025-2561
Ninja Forms < 3.10.1 - Admin+ Stored XSSThe Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
We have discovered 44,999 live websites that are affected by CVE-2025-2561.
Affected Software
| Product | |
| Category | Form Builders |
| Vulnerable Domains | 44,999 live websites (34% of Ninja Forms install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 212 versions ( 91% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - May 19, 2025
- Updated - Jan 9, 2026
Credits
- Bob Matyas (finder)
- WPScan (coordinator)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-2561 United States | 17,406 websites |
 Germany | 4,343 websites |
 GB | 3,086 websites |
 France | 2,663 websites |
 Netherlands | 1,563 websites |
 Italy | 1,412 websites |
 Australia | 1,201 websites |
 Canada | 1,172 websites |
 Spain | 970 websites |
 Switzerland | 668 websites |
Website Distribution by TLD
Number of websites using CVE-2025-2561| .com | 21,165 websites |
| .org | 2,430 websites |
| .de | 2,409 websites |
| .co.uk | 2,165 websites |
| .nl | 1,444 websites |
| .fr | 1,215 websites |
| .com.au | 1,090 websites |
| .net | 1,003 websites |
| .it | 937 websites |
| .ca | 664 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-2561
Top websites that are affected by CVE-2025-2561. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.com | United States | *,*** | |
| ****************.com | United States | *,*** | |
| ****************.com | United States | *,*** | |
| ************.com | United States | **,*** | |
| **********.ro |  Romania | **,*** | |
| **************.com | United States | **,*** | |
| **************.com | United States | **,*** | |
| *******.**.il |  Israel | **,*** | |
| *****************.fr | France | **,*** | |
| ************.org | United States | **,*** |
FAQ
CVE-2025-2561 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Ninja Forms
A total of 44,999 websites have been identified as vulnerable to CVE-2025-2561, based on global website indexing conducted by WebTechSurvey.
The Ninja Forms is affected by the CVE-2025-2561 vulnerability.
Ninja Forms versions up to 3.10.1 are vulnerable to CVE-2025-2561.
CVE-2025-2561 is resolved in version 3.10.1 of Ninja Forms.