Skip to main content

Ninja Forms Excel Export

3 CVEs product

Monthly

CVE-2026-15161 MEDIUM This Month

Stored Cross-Site Scripting in the Ninja Forms Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated attackers with subscriber-level access to inject persistent malicious scripts into the admin Excel Export screen. The dual root cause is a missing capability check and nonce verification in the save_filter() AJAX handler - enabling any authenticated user to write arbitrary filter data to WordPress options - combined with unescaped concatenation of that data into HTML attributes in get_filter_row(). When administrative users subsequently visit the Excel Export admin page, the stored payload executes in their browser, enabling session hijack, credential theft, or further privilege escalation. No public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress XSS Ninja Forms Excel Export
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15159 MEDIUM This Month

Subscriber-level WordPress users can exfiltrate complete PII datasets from all Ninja Forms submissions site-wide in Ninja Forms - Excel Export versions up to and including 3.3.6 by supplying arbitrary values to the `spreadsheet_export_form_id` parameter, which lacks authorization validation at the export endpoint. The missing access control enables horizontal privilege escalation across all form IDs on the installation, delivering names, email addresses, phone numbers, physical addresses, and any other collected PII as downloadable XLSX files to low-privileged users who should have no cross-form access. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the low attack complexity (AC:L, no user interaction required beyond subscriber-level credentials) makes this a meaningful data privacy risk on WordPress sites with open user registration.

WordPress Authentication Bypass Ninja Forms Excel Export
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15160 MEDIUM This Month

Directory traversal in the Ninja Forms - Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated attackers with subscriber-level access to write .xls/.xlsx files to arbitrary server-side locations via the unsanitized 'spreadsheet_export_tmp_name' parameter. The vulnerability is a staging primitive: direct code execution is not possible through the traversal alone, but file placement in web-accessible or sensitive directories can enable follow-on attacks such as information disclosure or overwriting existing files. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Path Traversal WordPress Ninja Forms Excel Export
NVD
CVSS 3.1
4.3
EPSS
0.5%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Ninja Forms Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated attackers with subscriber-level access to inject persistent malicious scripts into the admin Excel Export screen. The dual root cause is a missing capability check and nonce verification in the save_filter() AJAX handler - enabling any authenticated user to write arbitrary filter data to WordPress options - combined with unescaped concatenation of that data into HTML attributes in get_filter_row(). When administrative users subsequently visit the Excel Export admin page, the stored payload executes in their browser, enabling session hijack, credential theft, or further privilege escalation. No public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress XSS Ninja Forms Excel Export
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Subscriber-level WordPress users can exfiltrate complete PII datasets from all Ninja Forms submissions site-wide in Ninja Forms - Excel Export versions up to and including 3.3.6 by supplying arbitrary values to the `spreadsheet_export_form_id` parameter, which lacks authorization validation at the export endpoint. The missing access control enables horizontal privilege escalation across all form IDs on the installation, delivering names, email addresses, phone numbers, physical addresses, and any other collected PII as downloadable XLSX files to low-privileged users who should have no cross-form access. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the low attack complexity (AC:L, no user interaction required beyond subscriber-level credentials) makes this a meaningful data privacy risk on WordPress sites with open user registration.

WordPress Authentication Bypass Ninja Forms Excel Export
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Directory traversal in the Ninja Forms - Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated attackers with subscriber-level access to write .xls/.xlsx files to arbitrary server-side locations via the unsanitized 'spreadsheet_export_tmp_name' parameter. The vulnerability is a staging primitive: direct code execution is not possible through the traversal alone, but file placement in web-accessible or sensitive directories can enable follow-on attacks such as information disclosure or overwriting existing files. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Path Traversal WordPress Ninja Forms Excel Export
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy