Skip to main content

Ninja Forms CVE-2026-1239

| EUVDEUVD-2026-40913 HIGH
Missing Authorization (CWE-862)
2026-07-01 Wordfence GHSA-28rc-qxcc-hgg9
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network REST request (AV:N/AC:L/PR:N/UI:N) discloses stored submissions with no integrity or availability impact, so C:H and I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 07:16 vuln.today
CVE Published
Jul 01, 2026 - 05:35 cve.org
HIGH 7.5

DescriptionCVE.org

The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information.

AnalysisAI

Broken access control in the Ninja Forms WordPress plugin (all versions through 3.14.1) lets unauthenticated remote attackers read stored form submissions via the 'ninja-forms-views/token/refresh' REST callback, which lacks an authorization check. Because Ninja Forms submissions frequently capture PII, contact details, and other sensitive user-entered data, this exposes potentially confidential information to anyone who can reach the site. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Ninja Forms
Delivery
Send unauthenticated request to token/refresh REST endpoint
Exploit
Bypass missing authorization check
Execution
Retrieve stored form submissions
Impact
Exfiltrate sensitive PII

Vulnerability AssessmentAI

Exploitation The specific prerequisite is that the target runs the Ninja Forms plugin (version ≤ 3.14.1) with the REST route 'ninja-forms-views/token/refresh' reachable - this is part of the plugin's default REST registration, so no non-default configuration is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) is internally consistent with the description: network vector, low complexity, no privileges, no user interaction, and a confidentiality-only impact - matching an unauthenticated data-disclosure bug with no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates WordPress sites running Ninja Forms and sends an unauthenticated HTTP request to the '/wp-json/ninja-forms-views/token/refresh' REST endpoint, which returns form submission data without any authorization check. The attacker harvests submitted PII (names, emails, messages, and any custom fields) from targeted sites at scale. …
Remediation Upgrade Ninja Forms to the first release after 3.14.1 that includes the authorization fix committed in plugins.trac changeset 3489168 (https://plugins.trac.wordpress.org/changeset/3489168/ninja-forms); the input does not state an exact fix version number, so confirm the current patched release (3.14.2 or later) on the plugin page before deploying and review the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/973ebafc-85c0-4cc5-b307-2fdb0a4a7577. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for Ninja Forms presence and versions; immediately deactivate the plugin and export form submission database for security review. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-1239 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy