Ninja Forms is one of the most widely used WordPress plugins for creating contact forms with over 700,000 active installations. Its user-friendly drag-and-drop interface makes it a favorite among both developers and non-technical users. However, in the process of a routine plugin security audit, we discovered a critical vulnerability that permits Stored Cross-Site Scripting (XSS), allowing a contributor or editor to inject malicious JavaScript and potentially establish a persistent backdoor, leading to complete account takeover.
| CVE | CVE-2025-2524 |
| Ninja Forms < 3.10.1 | |
| Critical | High |
| All Time | 53 415 976 |
| Active installations | 700 000+ |
| Publicly Published | May 30, 2025 |
| Last Updated | May 30, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2524 https://wpscan.com/vulnerability/6e89ad2b-f12e-4b49-b34e-8da7d30629cd/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| March 13, 2025 | Plugin testing and vulnerability detection in the Ninja Forms – The Contact Form Builder That Grows With You have been completed |
| March 13, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| May 30, 2025 | Registered CVE-2025-2524 |
Discovery of the Vulnerability
The vulnerability, registered under CVE-2025-2524, was uncovered during dynamic testing of the Ninja Forms plugin. We identified that it’s possible for an editor to craft a payload within a form field using the “Paragraph” block. When Rich Text Editor mode is enabled, the plugin fails to properly sanitize the HTML content, thereby allowing arbitrary JavaScript execution upon form preview. This creates an attack surface where malicious users can escalate privileges or embed persistent scripts affecting all administrators visiting the vulnerable page.
Understanding of XSS attack’s
XSS vulnerabilities remain one of the most exploited classes of bugs in the WordPress ecosystem, especially due to the unfiltered_html capability that is often granted to roles like editors and contributors. When plugins like Ninja Forms fail to sanitize user-provided content in contexts like form fields, the risk multiplies. In real-world scenarios, attackers use stored XSS to execute JavaScript that injects admin accounts, installs malware, or exfiltrates cookies and CSRF tokens.
Exploiting the XSS Vulnerability
To exploit CVE-2025-2524, an attacker with editor+ privileges:
POC:
1) Create a new Blank Form 2) Put here "Paragraph" block and change "Default Value" field to "<img src=x onerror=alert(1)>" switch on "Show Rich Text Editor" 3) To trigger XSS you should preview form (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The implications of this vulnerability are substantial. If an editor injects a backdoor JavaScript payload instead of a simple alert, they can silently create new admin accounts, modify site configurations, or exfiltrate sensitive data. Considering Ninja Forms is installed on over 700,000 sites, the potential for mass exploitation is high. In multi-author environments, where not all users are fully trusted, this flaw becomes a gateway to total site compromise.
Recommendations for Improved Security
Administrators are advised to update Ninja Forms to the latest patched version immediately. Additionally, restrict the unfiltered_html capability for non-admin users using a role management plugin. It is also critical to implement Content Security Policies (CSP) and consider using a Web Application Firewall (WAF) that can detect and block XSS payloads in real-time. Plugin developers should ensure that all dynamic content is properly escaped and sanitized, especially when rendered in contexts that support HTML.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-2524, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.