Impact
The vulnerability exists in the Ninja Forms - File Uploads plugin where the REST endpoints for debug-log/delete-all and debug-log/get-all do not properly verify user authorization. An attacker who can reach the WordPress REST API can read every log entry stored in the wp_nf3_log table or permanently delete all rows from that table. This allows disclosure of potentially sensitive debugging information and disrupts debug logging functionality, affecting confidentiality and integrity of debug data within the site.
Affected Systems
The affected product is Ninja Forms - File Uploads by SaturdayDrive. Versions up to and including 3.3.29 contain the flaw. All installations running these versions are vulnerable.
Risk and Exploitability
The CVSS base score of 5.3 indicates a moderate severity. No EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog. Since the attack requires only unauthenticated access to the site’s REST API, the risk of exploitation is high in environments where the REST API is publicly reachable. An attacker can immediately exploit the flaw without any additional prerequisites.
OpenCVE Enrichment