Description
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the `ninja-forms-views` REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective.
Published: 2025-12-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Sensitive Information Exposure
Action: Patch Now
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference that allows an unauthenticated attacker to retrieve complete form metadata and any submitted data by using a bearer token that was leaked when a page containing the Submissions Table block was loaded. Because the plugin fails to validate that a user is authorized to access this data, an attacker can obtain arbitrary form definitions and submission records, potentially exposing sensitive personal information and credentials. The weakness is cataloged as CWE‑639 and can lead to significant confidentiality breaches if sensitive submission content is captured.

Affected Systems

The affected product is the Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress. All releases through version 3.13.2 are vulnerable. Although an earlier patch was released in 3.13.1, it introduced a new flaw that still allows bearer‑token generation for arbitrary forms, so only versions later than 3.13.2 (currently 3.13.3 and newer) are considered safe.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a very low probability of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog, which supports the low likelihood assessment. However, if an attacker can obtain a bearer token, the IDOR can be exploited via the publicly exposed REST endpoints, giving them read‑only access to all submission data. The impact is therefore primarily confidentiality exposure and possible compromise of personal data.

Generated by OpenCVE AI on April 22, 2026 at 12:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ninja Forms plugin to the latest stable release that removes the IDOR flaw (currently 3.13.3 or newer).
  • Block unauthenticated access to the `ninja‑forms‑views` REST endpoints using a web‑application firewall, security plugin, or server‑side rules such as .htaccess restrictions.
  • Review all existing form submissions for exposed sensitive data, delete or redact any compromised entries, and rotate any credentials that may have been inadvertently included in submissions.

Generated by OpenCVE AI on April 22, 2026 at 12:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 05 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ninjaforms
Ninjaforms ninja Forms
CPEs cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:*
Vendors & Products Ninjaforms
Ninjaforms ninja Forms

Wed, 17 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 17 Dec 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the `ninja-forms-views` REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective.
Title Ninja Forms – The Contact Form Builder That Grows With You <= 3.13.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ninjaforms Ninja Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:52.125Z

Reserved: 2025-10-17T18:54:25.934Z

Link: CVE-2025-11924

cve-icon Vulnrichment

Updated: 2025-12-17T21:42:17.956Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-17T07:15:57.750

Modified: 2026-01-05T15:23:54.313

Link: CVE-2025-11924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:15:16Z

Weaknesses