Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
UI:R over the reporter's UI:N because stored XSS requires a victim admin to visit the page; all other metrics align with AV:N subscriber-level injection with cross-boundary scope change.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.6. This is due to the save_filter() AJAX handler storing the raw $_POST['filter'] array into a WordPress option via update_option() without any capability check, nonce verification, or input sanitization, combined with the get_filter_row() method on the admin Excel Export screen concatenating the stored filter values (field_key, condition, value) directly into HTML attributes without esc_attr(). This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Ninja Forms Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated attackers with subscriber-level access to inject persistent malicious scripts into the admin Excel Export screen. The dual root cause is a missing capability check and nonce verification in the save_filter() AJAX handler - enabling any authenticated user to write arbitrary filter data to WordPress options - combined with unescaped concatenation of that data into HTML attributes in get_filter_row(). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with subscriber-level privileges or higher - unauthenticated exploitation is not possible given PR:L in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects medium-high risk but warrants scrutiny on the UI metric. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a subscriber-level account on the target WordPress site, then sends a crafted authenticated POST request to WordPress's admin-ajax.php targeting the save_filter AJAX action, embedding a JavaScript payload (e.g., a cookie-stealing script) inside the filter value field. The malicious payload is persisted silently in the WordPress options table with no error or indication. … |
| Remediation | Update the Ninja Forms Excel Export plugin beyond version 3.3.6 immediately; consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/e9ab836b-2798-43bd-b43b-8b7c7e81d42f for the confirmed patched release once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Ninja Forms Excel Export
View allDirectory traversal in the Ninja Forms - Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated attackers
Subscriber-level WordPress users can exfiltrate complete PII datasets from all Ninja Forms submissions site-wide in Ninj
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45136
GHSA-wwwp-3vpq-g9xq