Description
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.1 via a callback function for the admin_enqueue_scripts action handler in blocks/bootstrap.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to gain access to an authorization token to view form submissions for arbitrary forms, which could potentially contain sensitive information.
Published: 2026-03-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

The vulnerability in Ninja Forms up to version 3.14.1 allows authenticated users with Contributor-level access or higher to obtain an authorization token that grants visibility into form submissions. This token can be used to view any form submission data, potentially exposing personally identifiable information, credentials, or other sensitive content that should remain confidential.

Affected Systems

The affected product is the WordPress plugin Ninja Forms – The Contact Form Builder That Grows With You, specifically all releases through and including version 3.14.1. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity, and the vulnerability is not listed in the CISA KEV catalog. While no EPSS score is provided, the attack requires a valid Contributor or higher role, a common privilege level in many installations. An attacker could exploit the exposed token to download or view all form submissions, leading to confidentiality compromise. The limited need for elevated privileges reduces the barrier to exploitation but still poses a meaningful risk to sites handling sensitive data.

Generated by OpenCVE AI on March 28, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Ninja Forms update (version 3.14.2 or later) as soon as possible.
  • If upgrading is not immediately possible, restrict Contributor-level permissions to prevent unauthorized access to the block editor token.
  • Review and audit form submission access settings to ensure only authorized roles can view submission data.

Generated by OpenCVE AI on March 28, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Kstover
Kstover ninja Forms – The Contact Form Builder That Grows With You
Wordpress
Wordpress wordpress
Vendors & Products Kstover
Kstover ninja Forms – The Contact Form Builder That Grows With You
Wordpress
Wordpress wordpress

Sat, 28 Mar 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.1 via a callback function for the admin_enqueue_scripts action handler in blocks/bootstrap.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to gain access to an authorization token to view form submissions for arbitrary forms, which could potentially contain sensitive information.
Title Ninja Forms <= 3.14.1 - Authenticated (Contributor+) Sensitive Information Disclosure via Block Editor Token
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Kstover Ninja Forms – The Contact Form Builder That Grows With You
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:30.418Z

Reserved: 2026-01-21T19:28:24.128Z

Link: CVE-2026-1307

cve-icon Vulnrichment

Updated: 2026-03-30T18:04:52.057Z

cve-icon NVD

Status : Deferred

Published: 2026-03-28T07:15:55.950

Modified: 2026-04-24T16:36:24.067

Link: CVE-2026-1307

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:59:50Z

Weaknesses