Impact
The vulnerability is a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions of Ninja Forms up to 3.14.1. The flaw allows an attacker without authentication to call this endpoint and read form submissions, potentially containing sensitive data. The weakness is classified as CWE-862: Missing Authorization.
Affected Systems
All versions of the Ninja Forms plugin for WordPress up to and including 3.14.1, provided by kstover (Ninja Forms – The Contact Form Builder That Grows With You).
Risk and Exploitability
The CVSS score is 7.5, indicating high severity for information disclosure. EPSS is not available, so exploitation probability is unknown, but the vulnerability is exploitable through a public REST endpoint, thus accessible to any web user. The vulnerability is not listed in CISA KEV, but the lack of an EPSS score does not remove the need to patch. Attackers can simply perform a request to the endpoint to retrieve data, so the risk is moderate to high for sites that rely on this plugin to hold confidential information.
OpenCVE Enrichment