Ninja Forms Excel Export
Monthly
Stored Cross-Site Scripting in the Ninja Forms Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated attackers with subscriber-level access to inject persistent malicious scripts into the admin Excel Export screen. The dual root cause is a missing capability check and nonce verification in the save_filter() AJAX handler - enabling any authenticated user to write arbitrary filter data to WordPress options - combined with unescaped concatenation of that data into HTML attributes in get_filter_row(). When administrative users subsequently visit the Excel Export admin page, the stored payload executes in their browser, enabling session hijack, credential theft, or further privilege escalation. No public exploit code or CISA KEV listing has been identified at time of analysis.
Subscriber-level WordPress users can exfiltrate complete PII datasets from all Ninja Forms submissions site-wide in Ninja Forms - Excel Export versions up to and including 3.3.6 by supplying arbitrary values to the `spreadsheet_export_form_id` parameter, which lacks authorization validation at the export endpoint. The missing access control enables horizontal privilege escalation across all form IDs on the installation, delivering names, email addresses, phone numbers, physical addresses, and any other collected PII as downloadable XLSX files to low-privileged users who should have no cross-form access. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the low attack complexity (AC:L, no user interaction required beyond subscriber-level credentials) makes this a meaningful data privacy risk on WordPress sites with open user registration.
Directory traversal in the Ninja Forms - Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated attackers with subscriber-level access to write .xls/.xlsx files to arbitrary server-side locations via the unsanitized 'spreadsheet_export_tmp_name' parameter. The vulnerability is a staging primitive: direct code execution is not possible through the traversal alone, but file placement in web-accessible or sensitive directories can enable follow-on attacks such as information disclosure or overwriting existing files. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the Ninja Forms Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated attackers with subscriber-level access to inject persistent malicious scripts into the admin Excel Export screen. The dual root cause is a missing capability check and nonce verification in the save_filter() AJAX handler - enabling any authenticated user to write arbitrary filter data to WordPress options - combined with unescaped concatenation of that data into HTML attributes in get_filter_row(). When administrative users subsequently visit the Excel Export admin page, the stored payload executes in their browser, enabling session hijack, credential theft, or further privilege escalation. No public exploit code or CISA KEV listing has been identified at time of analysis.
Subscriber-level WordPress users can exfiltrate complete PII datasets from all Ninja Forms submissions site-wide in Ninja Forms - Excel Export versions up to and including 3.3.6 by supplying arbitrary values to the `spreadsheet_export_form_id` parameter, which lacks authorization validation at the export endpoint. The missing access control enables horizontal privilege escalation across all form IDs on the installation, delivering names, email addresses, phone numbers, physical addresses, and any other collected PII as downloadable XLSX files to low-privileged users who should have no cross-form access. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the low attack complexity (AC:L, no user interaction required beyond subscriber-level credentials) makes this a meaningful data privacy risk on WordPress sites with open user registration.
Directory traversal in the Ninja Forms - Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated attackers with subscriber-level access to write .xls/.xlsx files to arbitrary server-side locations via the unsanitized 'spreadsheet_export_tmp_name' parameter. The vulnerability is a staging primitive: direct code execution is not possible through the traversal alone, but file placement in web-accessible or sensitive directories can enable follow-on attacks such as information disclosure or overwriting existing files. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.