CVE-2026-1307
Sensitive Information Exposure in Ninja Forms Plugin via Authenticated Access
Publication date: 2026-03-28
Last updated on: 2026-03-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpninjas | ninja_forms | to 3.14.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Ninja Forms plugin for WordPress, up to version 3.14.1, has a vulnerability that allows authenticated users with Contributor-level access or higher to exploit a callback function in the admin_enqueue_scripts action handler. This vulnerability enables these users to obtain an authorization token that grants them access to view form submissions for any form, potentially exposing sensitive information contained within those submissions.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information submitted through forms on a WordPress site using the Ninja Forms plugin. Attackers with Contributor-level access or above can access authorization tokens to view submissions from arbitrary forms, which may include personal or confidential data. This exposure can compromise user privacy and the security of the data collected via these forms.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Ninja Forms WordPress plugin to version 3.14.2 or later, as this update includes extensive code changes likely addressing the security issue.
Ensure that only trusted users have Contributor-level access or higher, since the vulnerability allows authenticated users with such access to exploit the issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Contributor-level access and above to gain access to an authorization token that can be used to view form submissions for arbitrary forms. These form submissions could potentially contain sensitive information.
Exposure of sensitive information through this vulnerability could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive data from unauthorized access.
Therefore, exploitation of this vulnerability may result in violations of these common standards and regulations due to unauthorized disclosure of sensitive user data.