Description
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation on the maybe_opt_in() function. This makes it possible for unauthenticated attackers to opt an affected site into usage statistics collection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-09-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unintended Settings Modification via Cross‑Site Request Forgery
Action: Update Plugin
AI Analysis

Impact

Ninja Forms, a WordPress form builder plugin, contains a Cross‑Site Request Forgery vulnerability (CWE‑352) that allows unauthenticated attackers to change the plugin’s settings. By exploiting the missing or incorrect nonce validation on the maybe_opt_in() function, a malicious actor can trick a site administrator into submitting a forged request, thereby enabling the site to opt in to usage‑statistics collection. This change does not grant direct access to website data, but it creates a potential channel for third‑party tracking and may expose sensitive operational information about the site to the plugin maintainers.

Affected Systems

All installations of Ninja Forms plugin versions 3.12.0 or older for WordPress are affected. The vulnerability applies to any site running the plugin prior to the release that addressed the issue in a later version.

Risk and Exploitability

The CVSS score of 4.3 reflects a moderate severity, and the EPSS score of less than 1% suggests the vulnerability is currently unlikely to be widely exploited. The flaw is not listed in CISA’s KEV catalog. In practice, an attacker would need to deceive an administrator into clicking a crafted link or submitting a forged request; no remote code execution or credential compromise is required. Consequently, the risk is largely limited to inadvertent data collection unless combined with additional social engineering.

Generated by OpenCVE AI on April 21, 2026 at 02:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ninja Forms to version 3.12.1 or later, which removes the nonce validation flaw.
  • If already using a fixed version, disable the usage‑statistics option through the plugin’s settings panel.
  • If an upgrade is not immediately possible, deactivate the Ninja Forms plugin to prevent further risk until the patch is applied.

Generated by OpenCVE AI on April 21, 2026 at 02:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31403 The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation on the maybe_opt_in() function. This makes it possible for unauthenticated attackers to opt an affected site into usage statistics collection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Tue, 23 Dec 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Ninjaforms
Ninjaforms ninja Forms
CPEs cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:*
Vendors & Products Ninjaforms
Ninjaforms ninja Forms

Mon, 29 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 27 Sep 2025 02:45:00 +0000

Type Values Removed Values Added
Description The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation on the maybe_opt_in() function. This makes it possible for unauthenticated attackers to opt an affected site into usage statistics collection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Ninja Forms – The Contact Form Builder That Grows With You <= 3.12.0 - Cross-Site Request Forgery to Plugin Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Ninjaforms Ninja Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:46.315Z

Reserved: 2025-09-15T20:58:58.782Z

Link: CVE-2025-10499

cve-icon Vulnrichment

Updated: 2025-09-29T13:55:14.483Z

cve-icon NVD

Status : Analyzed

Published: 2025-09-27T03:15:32.940

Modified: 2025-12-23T18:57:13.767

Link: CVE-2025-10499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:00:06Z

Weaknesses