Description
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.3.29. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read all plugin debug log entries stored in the wp_nf3_log table or permanently delete all rows from that table.
Published: 2026-07-03
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the Ninja Forms - File Uploads plugin where the REST endpoints for debug-log/delete-all and debug-log/get-all do not properly verify user authorization. An attacker who can reach the WordPress REST API can read every log entry stored in the wp_nf3_log table or permanently delete all rows from that table. This allows disclosure of potentially sensitive debugging information and disrupts debug logging functionality, affecting confidentiality and integrity of debug data within the site.

Affected Systems

The affected product is Ninja Forms - File Uploads by SaturdayDrive. Versions up to and including 3.3.29 contain the flaw. All installations running these versions are vulnerable.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate severity. No EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog. Since the attack requires only unauthenticated access to the site’s REST API, the risk of exploitation is high in environments where the REST API is publicly reachable. An attacker can immediately exploit the flaw without any additional prerequisites.

Generated by OpenCVE AI on July 3, 2026 at 09:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ninja Forms - File Uploads plugin to version 3.3.30 or later.
  • If updating is not immediately possible, restrict access to the /wp-json/nf3/v1/debug-log/* endpoints via a firewall or server access control to limit them to trusted IP ranges.
  • Regularly audit the wp_nf3_log table for unexpected deletions or unusual entries to detect potential abuse.

Generated by OpenCVE AI on July 3, 2026 at 09:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Saturdaydrive
Saturdaydrive ninja Forms - File Uploads
Wordpress
Wordpress wordpress
Vendors & Products Saturdaydrive
Saturdaydrive ninja Forms - File Uploads
Wordpress
Wordpress wordpress

Fri, 03 Jul 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Ninja Forms - File Uploads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.3.29. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read all plugin debug log entries stored in the wp_nf3_log table or permanently delete all rows from that table.
Title Ninja Forms - File Uploads <= 3.3.29 - Missing Authorization to Unauthenticated Log Disclosure and Deletion via debug-log/delete-all and debug-log/get-all REST Endpoints
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Saturdaydrive Ninja Forms - File Uploads
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-03T04:30:16.018Z

Reserved: 2026-06-17T20:03:34.649Z

Link: CVE-2026-12557

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T09:45:05Z

Weaknesses