Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aman Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend views-for-ninja-forms allows Blind SQL Injection.This issue affects Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend: from n/a through <= 3.3.2.
AnalysisAI
Blind SQL injection in Ninja Forms Views plugin (versions ≤3.3.2) allows authenticated attackers with low-level privileges to extract sensitive database information via specially crafted queries. The vulnerability carries an 8.5 CVSS score with scope change, enabling attackers to access data beyond the plugin's normal authorization boundaries. Reported by Patchstack with detailed vendor advisory available, though no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Technical ContextAI
This vulnerability exploits CWE-89 (SQL Injection) in the Ninja Forms Views WordPress plugin, which provides frontend display and editing functionality for Ninja Forms submissions. The CPE identifier indicates Aman's 'Ninja Forms Views' plugin for WordPress is affected. Blind SQL injection occurs when user-supplied input is incorporated into SQL queries without proper sanitization or parameterized query usage, allowing attackers to infer database contents through Boolean-based or time-based techniques even when error messages are suppressed. The CVSS vector indicates network-based exploitation (AV:N) requiring only low-level authenticated access (PR:L), with scope change (S:C) suggesting the attacker can access resources beyond the vulnerable component's security context - typically meaning access to the entire WordPress database rather than just plugin-specific tables.
RemediationAI
Upgrade Ninja Forms Views plugin to version 3.3.3 or later if available, as version 3.3.2 is confirmed vulnerable in the Patchstack advisory. Consult the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/views-for-ninja-forms/ for the exact patched version and installation guidance. If immediate patching is not feasible, implement the following compensating controls with noted trade-offs: restrict plugin access to only administrator-level users via role-based access control (reduces attack surface but may disrupt legitimate workflows requiring lower-privilege form management); deploy a WordPress application firewall (WAF) with SQL injection signatures targeting the plugin's endpoints (adds latency and requires tuning to avoid false positives); enable comprehensive SQL query logging and monitor for time delays or Boolean pattern requests characteristic of blind SQLi (increases storage requirements and analysis overhead). As a last resort, temporarily deactivate the Ninja Forms Views plugin until patching is completed (eliminates vulnerability but removes frontend form display/editing functionality entirely). Review WordPress user accounts for unnecessary privileges and audit recent database access logs for signs of exploitation attempts.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29450
GHSA-rvq8-mhp5-38gf