During a security research I found an authenticated Stored XSS vulnerability. The name of the plugin is: WordPress Ninja Forms Contact Form plugin, the version of the affected plugin: < 3.6.9


Authenticated Stored Cross-Site Scripting (XSS) vulnerability 
discovered by Asif Nawaz Minhas (Patchstack Alliance) in WordPress 
Ninja Forms Contact Form plugin (versions <= 3.6.9).


on the left column clicked on Ninja Forms > Dashboard. 

Here I see a shortcode, in this case the shortcode is:  

[ninja_form id=1] 

Created a new page with the shortcode: [ninja_form id=1] and published the page. 

Now go back to Ninja Forms > Dashboard. 

Click here on the default form that is created upon installation and called: 

Contact Me. 

Now you have a tab Form Fields. 

Click on the Name field. Then on the right side you will see an option to change the Label (below Single Line Text). 

Add there the following payload: 

<!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`123` //> 

Click now on the button Done. 

Click now on the button Publish. 

Log out of Wordpress and visit the page you created earlier. 

Now you will see the authenticated stored XSS popping up. 

Additional information

PATCHSTACK link: https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-contact-form-plugin-3-6-9-authenticated-stored-cross-site-scripting-xss-vulnerability


NIST LINK: https://nvd.nist.gov/vuln/detail/CVE-2021-36827

Plugin has more than 1+ million active installations.