Description
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information.
Published: 2026-07-01
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions of Ninja Forms up to 3.14.1. The flaw allows an attacker without authentication to call this endpoint and read form submissions, potentially containing sensitive data. The weakness is classified as CWE-862: Missing Authorization.

Affected Systems

All versions of the Ninja Forms plugin for WordPress up to and including 3.14.1, provided by kstover (Ninja Forms – The Contact Form Builder That Grows With You).

Risk and Exploitability

The CVSS score is 7.5, indicating high severity for information disclosure. EPSS is not available, so exploitation probability is unknown, but the vulnerability is exploitable through a public REST endpoint, thus accessible to any web user. The vulnerability is not listed in CISA KEV, but the lack of an EPSS score does not remove the need to patch. Attackers can simply perform a request to the endpoint to retrieve data, so the risk is moderate to high for sites that rely on this plugin to hold confidential information.

Generated by OpenCVE AI on July 1, 2026 at 08:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ninja Forms plugin to a version that includes the authorization fix (≥3.14.2 if available).
  • If an upgrade is not immediately possible, restrict the REST API endpoint by blocking unauthenticated traffic via a security plugin or firewall rules.
  • Monitor server logs for unexpected access to /wp-json/ninja-forms-views/token/refresh to detect potential exploitation attempts.

Generated by OpenCVE AI on July 1, 2026 at 08:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information.
Title Ninja Forms <= 3.14.1 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via token/refresh REST Endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T05:35:30.183Z

Reserved: 2026-01-20T17:56:47.784Z

Link: CVE-2026-1239

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T08:45:15Z

Weaknesses