CVE Catalog

CVE-2026-1239

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

The Ninja Forms plugin for WordPress is vulnerable to unauthorized data access due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to and including 3.14.1. This allows unauthenticated attackers to view form submissions, which may contain sensitive information.

Risk Assessment

The risk involves potential leakage of sensitive user data, such as personal or financial information, which could lead to reputational and legal consequences for the organization.

Recommendation

It is recommended to immediately update the Ninja Forms plugin to the latest available version that fixes this vulnerability, and to check for any signs of unauthorized data access.

Original NVD description (English source)

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS