CVE-2026-2268
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2Description
The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.0. This is due to the unsafe application of the `ninja_forms_merge_tags` filter to user-supplied input within repeater fields, which allows the resolution of `{post_meta:KEY}` merge tags without authorization checks. This makes it possible for unauthenticated attackers to extract arbitrary post metadata from any post on the site, including sensitive data such as WooCommerce billing emails, API keys, private tokens, and customer personal information via the `nf_ajax_submit` AJAX action.
Analysis
Unauthenticated attackers can extract arbitrary post metadata from WordPress sites running Ninja Forms plugin versions up to 3.14.0 through improper merge tag filtering in repeater fields, potentially exposing sensitive data like API keys, billing information, and customer details. The vulnerability is exploitable remotely without authentication via the nf_ajax_submit AJAX action and currently lacks a patch.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WordPress sites using Ninja Forms and document current versions; assess whether repeater fields containing sensitive data are active. Within 7 days: Implement WAF rules to block requests containing merge tag patterns ({post_meta:*}); consider disabling the Ninja Forms plugin if not business-critical, or disable repeater fields if feasible. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today