Ninja Forms < 3.12.1 – Statistics Collection Opt In via CSRF | CVE 2025-10499 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the maybe_opt_in() function. This makes it possible for unauthenticated attackers to opt an affected site into usage statistics collection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 3.12.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a2f118fc-d99a-4713-865e-2da7a9e20db5

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Ngoc Quang Bach (maysbachs)

Verified

No

WPVDB ID

291cf081-c3ce-4893-82fd-1d40665f73a1

Timeline

Publicly Published

2025-09-26 (about 7 months ago)

Added

2025-09-28 (about 7 months ago)

Last Updated

2025-09-28 (about 7 months ago)

Other

Published

Title

Published

2022-05-27

Title

Admin Management Xtended < 2.4.5 - Multiple CSRF

Published

2026-02-13

Title

WP Quick Contact Us <= 1.0 - Cross-Site Request Forgery to Settings Update

Published

2021-03-26

Title

Patreon WordPress < 1.7.0 - CSRF to Overwrite/Create User Meta

Published

2025-04-01

Title

CLP – Custom Login Page by NiteoThemes <= 1.5.5 - Cross-Site Request Forgery

Published

2023-10-06

Title

Laposta Signup Basic < 1.4.2 - CSRF