Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-accessible export endpoint requires only subscriber-level auth (PR:L); C:L reflects application-layer form data exposure with no integrity or availability impact and no scope change.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_form_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate any Ninja Forms form ID and download all stored submission data - including names, email addresses, phone numbers, physical addresses, and any other PII collected by site forms - as a downloadable XLSX file.
AnalysisAI
Subscriber-level WordPress users can exfiltrate complete PII datasets from all Ninja Forms submissions site-wide in Ninja Forms - Excel Export versions up to and including 3.3.6 by supplying arbitrary values to the spreadsheet_export_form_id parameter, which lacks authorization validation at the export endpoint. The missing access control enables horizontal privilege escalation across all form IDs on the installation, delivering names, email addresses, phone numbers, physical addresses, and any other collected PII as downloadable XLSX files to low-privileged users who should have no cross-form access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid WordPress account with at minimum the subscriber role on the target installation; the CVSS vector PR:L confirms authentication is required and unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) correctly identifies network reachability and low complexity but assigns C:L (partial confidentiality), which understates real-world data privacy consequences: a single successful request can yield all PII ever submitted to a given form, and iterating over form IDs exposes the entire site's submission history. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on the target WordPress site (or uses a previously compromised low-privilege account), then sends authenticated HTTP requests to the plugin's export endpoint with `spreadsheet_export_form_id` set to sequentially incremented integer values. For each valid form ID the server silently returns a complete XLSX file containing all stored submission records with no access control error. … |
| Remediation | No vendor-released patched version has been confirmed from available data; monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/783ccf21-db16-4aac-9a3c-992b3aac5526 and the WordPress plugin repository for an updated release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Ninja Forms Excel Export
View allStored Cross-Site Scripting in the Ninja Forms Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated att
Directory traversal in the Ninja Forms - Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated attackers
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45128
GHSA-c8hw-hm2h-46fp