CVE-2026-15159
Received Received - Intake

Insecure Direct Object Reference in Ninja Forms Excel Export Plugin

Vulnerability report for CVE-2026-15159, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Wordfence

Description

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_form_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate any Ninja Forms form ID and download all stored submission data β€” including names, email addresses, phone numbers, physical addresses, and any other PII collected by site forms β€” as a downloadable XLSX file.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ninja_forms excel_export to 3.3.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an Insecure Direct Object Reference (IDOR) in the Ninja Forms - Excel Export WordPress plugin. It affects versions up to 3.3.6 and is caused by missing validation on the 'spreadsheet_export_form_id' parameter. Authenticated attackers with subscriber-level access or higher can exploit this to enumerate form IDs and download all stored submission data, including personally identifiable information (PII) like names, emails, and addresses, as an XLSX file.

Detection Guidance

To detect this vulnerability, check WordPress sites running the Ninja Forms - Excel Export plugin versions up to 3.3.6. Look for unauthorized XLSX file downloads or unusual form ID enumeration attempts in server logs. Monitor for requests containing the 'spreadsheet_export_form_id' parameter.

Impact Analysis

If you are a WordPress site owner using the affected plugin, attackers could access sensitive user data collected by your forms. This includes personal information submitted by visitors, which could lead to privacy breaches, identity theft, or misuse of data. The impact depends on the type of data collected by your forms.

Compliance Impact

This vulnerability could lead to non-compliance with GDPR and HIPAA due to unauthorized access to personal data. GDPR requires protecting personal data, and HIPAA mandates safeguarding protected health information. A breach could result in legal penalties, fines, and reputational damage for organizations handling regulated data.

Mitigation Strategies

Immediately update the Ninja Forms - Excel Export plugin to the latest version beyond 3.3.6. If an update is unavailable, disable or remove the plugin. Review server logs for signs of exploitation and restrict subscriber-level access to sensitive functions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15159. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart