CVE-2026-1307
Received Received - Intake
Sensitive Information Exposure in Ninja Forms Plugin via Authenticated Access

Publication date: 2026-03-28

Last updated on: 2026-03-28

Assigner: Wordfence

Description
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.1 via a callback function for the admin_enqueue_scripts action handler in blocks/bootstrap.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to gain access to an authorization token to view form submissions for arbitrary forms, which could potentially contain sensitive information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-28
Last Modified
2026-03-28
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1307
EUVD
EUVD-2026-16907
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpninjas ninja_forms to 3.14.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Ninja Forms plugin for WordPress, up to version 3.14.1, has a vulnerability that allows authenticated users with Contributor-level access or higher to exploit a callback function in the admin_enqueue_scripts action handler. This vulnerability enables these users to obtain an authorization token that grants them access to view form submissions for any form, potentially exposing sensitive information contained within those submissions.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information submitted through forms on a WordPress site using the Ninja Forms plugin. Attackers with Contributor-level access or above can access authorization tokens to view submissions from arbitrary forms, which may include personal or confidential data. This exposure can compromise user privacy and the security of the data collected via these forms.

Mitigation Strategies

To mitigate this vulnerability, you should update the Ninja Forms WordPress plugin to version 3.14.2 or later, as this update includes extensive code changes likely addressing the security issue.

Ensure that only trusted users have Contributor-level access or higher, since the vulnerability allows authenticated users with such access to exploit the issue.

Compliance Impact

The vulnerability allows authenticated attackers with Contributor-level access and above to gain access to an authorization token that can be used to view form submissions for arbitrary forms. These form submissions could potentially contain sensitive information.

Exposure of sensitive information through this vulnerability could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive data from unauthorized access.

Therefore, exploitation of this vulnerability may result in violations of these common standards and regulations due to unauthorized disclosure of sensitive user data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1307. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart