Skip to main content

Ninja Forms Excel Export CVE-2026-15161

| EUVDEUVD-2026-45136 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-17 Wordfence GHSA-wwwp-3vpq-g9xq
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

UI:R over the reporter's UI:N because stored XSS requires a victim admin to visit the page; all other metrics align with AV:N subscriber-level injection with cross-boundary scope change.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 05:18 vuln.today
CVE Published
Jul 17, 2026 - 03:43 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.6. This is due to the save_filter() AJAX handler storing the raw $_POST['filter'] array into a WordPress option via update_option() without any capability check, nonce verification, or input sanitization, combined with the get_filter_row() method on the admin Excel Export screen concatenating the stored filter values (field_key, condition, value) directly into HTML attributes without esc_attr(). This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Ninja Forms Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated attackers with subscriber-level access to inject persistent malicious scripts into the admin Excel Export screen. The dual root cause is a missing capability check and nonce verification in the save_filter() AJAX handler - enabling any authenticated user to write arbitrary filter data to WordPress options - combined with unescaped concatenation of that data into HTML attributes in get_filter_row(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain WordPress subscriber account
Delivery
Send crafted AJAX POST to save_filter() without nonce/capability check
Exploit
Malicious script stored in WordPress options table
Install
Administrator navigates to Excel Export admin page
C2
get_filter_row() renders unescaped payload into HTML attribute
Execute
Stored XSS executes in admin browser
Impact
Session token exfiltrated or admin actions performed

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with subscriber-level privileges or higher - unauthenticated exploitation is not possible given PR:L in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects medium-high risk but warrants scrutiny on the UI metric. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a subscriber-level account on the target WordPress site, then sends a crafted authenticated POST request to WordPress's admin-ajax.php targeting the save_filter AJAX action, embedding a JavaScript payload (e.g., a cookie-stealing script) inside the filter value field. The malicious payload is persisted silently in the WordPress options table with no error or indication. …
Remediation Update the Ninja Forms Excel Export plugin beyond version 3.3.6 immediately; consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/e9ab836b-2798-43bd-b43b-8b7c7e81d42f for the confirmed patched release once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15161 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy