CVE-2015-2220

Name of the Vulnerable Software and Affected Versions Ninja Forms plugin versions prior to 2.8.9

Description The issue allows remote attackers to inject arbitrary web script or HTML, and it also affects remote administrators. This can be achieved through the "ninja forms field 1" parameter in a "ninja forms ajax submit" action to the "/wp-admin/admin-ajax.php" API endpoint, or through the fields[1] parameter to the "/wp-admin/post.php" API endpoint.

Recommendations For versions prior to 2.8.9, update to version 2.8.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/wp-admin/admin-ajax.php" and "/wp-admin/post.php" API endpoints to minimize the risk of exploitation. Avoid using the ninja forms field 1 and fields[1] parameters in the affected API endpoints until the issue is resolved.