Skip to main content

Ninja Forms Views CVE-2026-42741

| EUVDEUVD-2026-29450 HIGH
SQL Injection (CWE-89)
2026-05-12 Patchstack GHSA-rvq8-mhp5-38gf
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 11:31 vuln.today
CVE Published
May 12, 2026 - 11:02 nvd
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aman Ninja Forms Views &#8211; Display &amp; Edit Ninja Forms Submissions on your site frontend views-for-ninja-forms allows Blind SQL Injection.This issue affects Ninja Forms Views &#8211; Display &amp; Edit Ninja Forms Submissions on your site frontend: from n/a through <= 3.3.2.

AnalysisAI

Blind SQL injection in Ninja Forms Views plugin (versions ≤3.3.2) allows authenticated attackers with low-level privileges to extract sensitive database information via specially crafted queries. The vulnerability carries an 8.5 CVSS score with scope change, enabling attackers to access data beyond the plugin's normal authorization boundaries. Reported by Patchstack with detailed vendor advisory available, though no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Technical ContextAI

This vulnerability exploits CWE-89 (SQL Injection) in the Ninja Forms Views WordPress plugin, which provides frontend display and editing functionality for Ninja Forms submissions. The CPE identifier indicates Aman's 'Ninja Forms Views' plugin for WordPress is affected. Blind SQL injection occurs when user-supplied input is incorporated into SQL queries without proper sanitization or parameterized query usage, allowing attackers to infer database contents through Boolean-based or time-based techniques even when error messages are suppressed. The CVSS vector indicates network-based exploitation (AV:N) requiring only low-level authenticated access (PR:L), with scope change (S:C) suggesting the attacker can access resources beyond the vulnerable component's security context - typically meaning access to the entire WordPress database rather than just plugin-specific tables.

RemediationAI

Upgrade Ninja Forms Views plugin to version 3.3.3 or later if available, as version 3.3.2 is confirmed vulnerable in the Patchstack advisory. Consult the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/views-for-ninja-forms/ for the exact patched version and installation guidance. If immediate patching is not feasible, implement the following compensating controls with noted trade-offs: restrict plugin access to only administrator-level users via role-based access control (reduces attack surface but may disrupt legitimate workflows requiring lower-privilege form management); deploy a WordPress application firewall (WAF) with SQL injection signatures targeting the plugin's endpoints (adds latency and requires tuning to avoid false positives); enable comprehensive SQL query logging and monitor for time delays or Boolean pattern requests characteristic of blind SQLi (increases storage requirements and analysis overhead). As a last resort, temporarily deactivate the Ninja Forms Views plugin until patching is completed (eliminates vulnerability but removes frontend form display/editing functionality entirely). Review WordPress user accounts for unnecessary privileges and audit recent database access logs for signs of exploitation attempts.

Share

CVE-2026-42741 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy