WordPress Ninja Forms vulnerable to CSRF

The WordPress Plugin ‘Ninja Forms’ which currently has 1million+ installs, is vulnerable to a CSRF attack. This was identified in CVE-2020-12462.

The ninja-forms plugin before for WordPress allows CSRF with resultant XSS.


The fix was added on the 28th of April 2020.

Fixed Cross-Site Request Forgery(CSRF) to stored Cross-Site Scripting(XSS) reported responsibly by Ramuel Gall (Wordfence Threat Intelligence Team).

Changelog note on the WordPress ninja-forms page

It is strongly advised to update your ninja forms to the latest version so that CVE-2020-12462 will be mitigated.

Share this information