Skip to main content

Ninja Forms Excel Export EUVDEUVD-2026-45128

| CVE-2026-15159 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-17 Wordfence GHSA-c8hw-hm2h-46fp
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible export endpoint requires only subscriber-level auth (PR:L); C:L reflects application-layer form data exposure with no integrity or availability impact and no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 04:22 vuln.today
CVE Published
Jul 17, 2026 - 02:31 nvd
MEDIUM 4.3

DescriptionCVE.org

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_form_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate any Ninja Forms form ID and download all stored submission data - including names, email addresses, phone numbers, physical addresses, and any other PII collected by site forms - as a downloadable XLSX file.

AnalysisAI

Subscriber-level WordPress users can exfiltrate complete PII datasets from all Ninja Forms submissions site-wide in Ninja Forms - Excel Export versions up to and including 3.3.6 by supplying arbitrary values to the spreadsheet_export_form_id parameter, which lacks authorization validation at the export endpoint. The missing access control enables horizontal privilege escalation across all form IDs on the installation, delivering names, email addresses, phone numbers, physical addresses, and any other collected PII as downloadable XLSX files to low-privileged users who should have no cross-form access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or acquire subscriber-level WordPress account
Delivery
Authenticate and locate plugin export endpoint
Exploit
Submit requests with incremented spreadsheet_export_form_id values
Execution
Enumerate all valid form IDs site-wide
Persist
Download XLSX file for each form
Impact
Exfiltrate full PII submission dataset

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid WordPress account with at minimum the subscriber role on the target installation; the CVSS vector PR:L confirms authentication is required and unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) correctly identifies network reachability and low complexity but assigns C:L (partial confidentiality), which understates real-world data privacy consequences: a single successful request can yield all PII ever submitted to a given form, and iterating over form IDs exposes the entire site's submission history. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on the target WordPress site (or uses a previously compromised low-privilege account), then sends authenticated HTTP requests to the plugin's export endpoint with `spreadsheet_export_form_id` set to sequentially incremented integer values. For each valid form ID the server silently returns a complete XLSX file containing all stored submission records with no access control error. …
Remediation No vendor-released patched version has been confirmed from available data; monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/783ccf21-db16-4aac-9a3c-992b3aac5526 and the WordPress plugin repository for an updated release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45128 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy