CVE-2025-14072
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-02

Last updated on: 2026-01-02

Assigner: WPScan

Description
The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-01-02
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14072
EUVD
EUVD-2026-0708
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpninjas ninja_forms to 3.13.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-14072 is a vulnerability in the Ninja Forms WordPress plugin versions before 3.13.3 that allows unauthenticated attackers to generate valid access tokens via the REST API. Attackers can send a POST request with form IDs to the `/ninja-forms-views/token/refresh` endpoint to obtain tokens that include a public key and expire after 900 seconds. These tokens can then be used in the `X-NinjaFormsViews-Auth` header to access the `/ninja-forms-views/forms/{formID}/submissions` endpoint and retrieve all submissions for the targeted form without authentication. This results in complete disclosure of form submission data and is classified as an authentication bypass vulnerability (CWE-287). [1]

Detection Guidance

You can detect this vulnerability by attempting to generate a valid access token via the REST API without authentication. Specifically, send a POST request to the endpoint `/ninja-forms-views/token/refresh` with form ID(s) as parameters. For example, using curl: `curl -X POST https://yourwordpresssite.com/wp-json/ninja-forms-views/token/refresh -d 'formID=1'`. If a valid token is returned, the system is vulnerable. Additionally, you can check for unauthorized access attempts to `/ninja-forms-views/forms/{formID}/submissions` endpoints using the `X-NinjaFormsViews-Auth` header with such tokens. [1]

Mitigation Strategies

The immediate mitigation step is to update the Ninja Forms WordPress plugin to version 3.13.3 or later, where this vulnerability is fixed. Until the update can be applied, restrict access to the REST API endpoints `/ninja-forms-views/token/refresh` and `/ninja-forms-views/forms/{formID}/submissions` via firewall rules or other access controls to prevent unauthenticated token generation and data disclosure. [1]

Compliance Impact

The vulnerability allows unauthenticated attackers to access and disclose form submission data, which may include personal or sensitive information. This unauthorized data exposure can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal data against unauthorized access and ensuring confidentiality and integrity of such information. [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive form submission data, as attackers can access all submissions for targeted forms without any authentication. This could expose personal, confidential, or sensitive information submitted through Ninja Forms, potentially leading to privacy breaches, data theft, and reputational damage for affected websites. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14072. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart