CVE-2021-34648

Name of the Vulnerable Software and Affected Versions: Ninja Forms WordPress plugin versions up to and including 3.5.7

Description: The issue allows authenticated attackers to send arbitrary emails from the affected server via the "/ninja-forms-submissions/email-action" REST API endpoint, utilizing the trigger email action function found in the ~/includes/Routes/Submissions.php file. This can be used to socially engineer victims.

Recommendations: For versions up to and including 3.5.7, update to a version later than 3.5.7 to resolve the issue. As a temporary workaround, consider disabling the trigger email action function until a patch is available. Restrict access to the "/ninja-forms-submissions/email-action" REST API endpoint to minimize the risk of exploitation.