CVE-2022-0889 HIGH

CVE-2022-0889: Ninja Forms - File Uploads Extension <= 3.3.12 - Reflected Cross-Site Scripting

Vendor Saturdaydrive
Product Ninja Forms - File Uploads
Weakness CWE-79 · XSS
Published March 23, 2022
Last update April 8, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing sanitization of the files filename parameter found in the ~/includes/ajax/controllers/uploads.php file which can be used by unauthenticated attackers to add malicious web scripts to vulnerable WordPress sites, in versions up to and including 3.3.12.

Key dates

02Disclosure timeline

March 23, 2022 CVE published
April 8, 2026 Record updated