Description
The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.0. This is due to the unsafe application of the `ninja_forms_merge_tags` filter to user-supplied input within repeater fields, which allows the resolution of `{post_meta:KEY}` merge tags without authorization checks. This makes it possible for unauthenticated attackers to extract arbitrary post metadata from any post on the site, including sensitive data such as WooCommerce billing emails, API keys, private tokens, and customer personal information via the `nf_ajax_submit` AJAX action.
Published: 2026-02-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

The Ninja Forms plugin for WordPress contains a flaw in the nf_ajax_submit AJAX action where the ninja_forms_merge_tags filter is applied to user-supplied input in repeater fields without proper authorization checks. This allows an unauthenticated user to resolve {post_meta:KEY} merge tags, revealing arbitrary post metadata. Consequently an attacker can access sensitive data such as WooCommerce billing emails, API keys, private tokens, and customer personal information, leading to a violation of confidentiality.

Affected Systems

Versions of Ninja Forms 3.14.0 and earlier are affected. The vulnerability exists across all WordPress sites that have any version of Ninja Forms up to and including 3.14.0 installed.

Risk and Exploitability

The CVSS base score of 7.5 indicates a high impact with an unauthenticated external attack vector. The EPSS score of less than 1% suggests that exploitation is currently unlikely in the wild, and the vulnerability is not listed in the CISA KEV catalog. However, an attacker who discovers the public nf_ajax_submit endpoint could exploit the lack of authorization checks to harvest sensitive metadata from the site without needing to authenticate.

Generated by OpenCVE AI on April 16, 2026 at 01:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ninja Forms plugin to the latest released version that removes the unsafe merge tag processing, ensuring that proper authorization checks are performed.
  • If an immediate upgrade is not possible, disable or remove the nf_ajax_submit AJAX action or restrict its usage to authenticated administrators only.
  • Apply generic WordPress security best practices: keep all plugins updated, review all custom code for merge tag handling, and use security plugins to block unauthenticated access to AJAX endpoints.

Generated by OpenCVE AI on April 16, 2026 at 01:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Kstover
Kstover ninja Forms – The Contact Form Builder That Grows With You
Wordpress
Wordpress wordpress
Vendors & Products Kstover
Kstover ninja Forms – The Contact Form Builder That Grows With You
Wordpress
Wordpress wordpress

Tue, 10 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
Description The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.0. This is due to the unsafe application of the `ninja_forms_merge_tags` filter to user-supplied input within repeater fields, which allows the resolution of `{post_meta:KEY}` merge tags without authorization checks. This makes it possible for unauthenticated attackers to extract arbitrary post metadata from any post on the site, including sensitive data such as WooCommerce billing emails, API keys, private tokens, and customer personal information via the `nf_ajax_submit` AJAX action.
Title Ninja Forms <= 3.14.0 - Unauthenticated Information Disclosure in nf_ajax_submit AJAX Action
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Kstover Ninja Forms – The Contact Form Builder That Grows With You
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:13.844Z

Reserved: 2026-02-09T20:41:21.736Z

Link: CVE-2026-2268

cve-icon Vulnrichment

Updated: 2026-02-10T15:28:35.541Z

cve-icon NVD

Status : Deferred

Published: 2026-02-10T10:16:00.057

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:15:20Z

Weaknesses