Skip to main content

Ninja Forms The Contact Form Builder That Grows With You

1 CVEs product

Monthly

CVE-2026-1239 HIGH This Week

Broken access control in the Ninja Forms WordPress plugin (all versions through 3.14.1) lets unauthenticated remote attackers read stored form submissions via the 'ninja-forms-views/token/refresh' REST callback, which lacks an authorization check. Because Ninja Forms submissions frequently capture PII, contact details, and other sensitive user-entered data, this exposes potentially confidential information to anyone who can reach the site. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-auth nature makes it straightforward to abuse.

Authentication Bypass WordPress Ninja Forms The Contact Form Builder That Grows With You
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the Ninja Forms WordPress plugin (all versions through 3.14.1) lets unauthenticated remote attackers read stored form submissions via the 'ninja-forms-views/token/refresh' REST callback, which lacks an authorization check. Because Ninja Forms submissions frequently capture PII, contact details, and other sensitive user-entered data, this exposes potentially confidential information to anyone who can reach the site. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-auth nature makes it straightforward to abuse.

Authentication Bypass WordPress Ninja Forms The Contact Form Builder That Grows With You
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy