CVE-2024-3866

Name of the Vulnerable Software and Affected Versions Ninja Forms Contact Form plugin for WordPress versions up to, and including, 3.8.15

Description The issue is related to Reflected Self-Based Cross-Site Scripting via the 'Referer' header due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Successful exploitation requires "maintenance mode" for a targeted form to be enabled, which is only enabled during a required update, a very short window of time. Because of the self-based nature of this issue, attackers would have to rely on additional techniques to execute a supplied payload in the context of a targeted user.

Recommendations For versions up to, and including, 3.8.15, update to a version higher than 3.8.15 to resolve the issue. As a temporary workaround, consider restricting access to the plugin during required updates when "maintenance mode" is enabled, to minimize the risk of exploitation. Avoid using the Referer header in sensitive operations until the issue is resolved.