CVE-2026-1239
Received Received - Intake

Unauthenticated Data Access in Ninja Forms WordPress Plugin

Vulnerability report for CVE-2026-1239, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Wordfence

Description

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ninja_forms ninja_forms to 3.14.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Ninja Forms plugin for WordPress has a vulnerability due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to and including 3.14.1.

This flaw allows unauthenticated attackers to access form submissions without proper permission.

Since form submissions may contain sensitive information, this unauthorized access poses a security risk.

Impact Analysis

This vulnerability can allow attackers who are not logged in to view sensitive data submitted through forms on a WordPress site using the affected Ninja Forms plugin.

Such unauthorized data exposure can lead to privacy breaches, data leaks, and potential misuse of sensitive information.

Compliance Impact

This vulnerability allows unauthenticated attackers to access form submissions that may contain sensitive information due to a missing authorization check. Such unauthorized data exposure can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data.

Organizations using the affected Ninja Forms plugin versions may risk violating these standards because the vulnerability compromises confidentiality by enabling unauthorized data access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1239. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart