CVE-2026-1239
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
The Ninja Forms plugin for WordPress is vulnerable to unauthorized data access due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to and including 3.14.1. This allows unauthenticated attackers to view form submissions, which may contain sensitive information.
Risk Assessment
The risk involves potential leakage of sensitive user data, such as personal or financial information, which could lead to reputational and legal consequences for the organization.
Recommendation
It is recommended to immediately update the Ninja Forms plugin to the latest available version that fixes this vulnerability, and to check for any signs of unauthorized data access.
Original NVD description (English source)
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information.

