CVE-2021-24166

State: PUBLISHED · Published: 2021-04-05 · Updated: 2024-08-03 · Assigner: WPScan

Description

The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection.

CWE

CWE-352 — CWE-352 Cross-Site Request Forgery (CSRF)

Affected

Unknown / Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress — v=3.4.34 <3.4.34 [affected]

CVSS

(none)

References

https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/ x_refsource_MISC
https://wpscan.com/vulnerability/b531fb65-a8ff-4150-a9a1-2a62a3c00bd6 x_refsource_CONFIRM

Source

cvelistV5-main/cves/2021/24xxx/CVE-2021-24166.json