Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network REST request (AV:N/AC:L/PR:N/UI:N) discloses stored submissions with no integrity or availability impact, so C:H and I:N/A:N.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information.
Articles & Coverage 1
AnalysisAI
Broken access control in the Ninja Forms WordPress plugin (all versions through 3.14.1) lets unauthenticated remote attackers read stored form submissions via the 'ninja-forms-views/token/refresh' REST callback, which lacks an authorization check. Because Ninja Forms submissions frequently capture PII, contact details, and other sensitive user-entered data, this exposes potentially confidential information to anyone who can reach the site. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The specific prerequisite is that the target runs the Ninja Forms plugin (version ≤ 3.14.1) with the REST route 'ninja-forms-views/token/refresh' reachable - this is part of the plugin's default REST registration, so no non-default configuration is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) is internally consistent with the description: network vector, low complexity, no privileges, no user interaction, and a confidentiality-only impact - matching an unauthenticated data-disclosure bug with no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker enumerates WordPress sites running Ninja Forms and sends an unauthenticated HTTP request to the '/wp-json/ninja-forms-views/token/refresh' REST endpoint, which returns form submission data without any authorization check. The attacker harvests submitted PII (names, emails, messages, and any custom fields) from targeted sites at scale. … |
| Remediation | Upgrade Ninja Forms to the first release after 3.14.1 that includes the authorization fix committed in plugins.trac changeset 3489168 (https://plugins.trac.wordpress.org/changeset/3489168/ninja-forms); the input does not state an exact fix version number, so confirm the current patched release (3.14.2 or later) on the plugin page before deploying and review the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/973ebafc-85c0-4cc5-b307-2fdb0a4a7577. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations for Ninja Forms presence and versions; immediately deactivate the plugin and export form submission database for security review. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40913
GHSA-28rc-qxcc-hgg9