CVE-2024-2108: 
WordPress vulnerability analysis and mitigation

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin is vulnerable to Stored Cross-Site Scripting (CVE-2024-2108) via an image title embedded into a form in versions up to 3.8.0. The vulnerability was discovered and reported by Wordfence, with a patch released in version 3.8.1 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's form handling functionality. The issue specifically relates to image titles embedded in forms, which can be manipulated to inject malicious scripts. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 4.6 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to client-side attacks against site visitors (NVD).

Users should immediately upgrade to Ninja Forms version 3.8.1 or later, which contains the security patch that addresses this vulnerability. The fix can be found in the updated ListImage.php file (WordPress Plugin).