The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers to bypass validation via the email field.

The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for submissions-table fields.

The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via services integration.

The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection.

The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with resultant XSS.

An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPress allows Remote Attackers to redirect a user via the lib/StepProcessing/step-processing.php (aka submissions download page) redirect parameter.

The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data requests.

The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering.

The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder.

The ninja-forms plugin before 3.3.21.2 for WordPress has SQL injection in the search filter on the submissions page.

XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter.