WordPress Plugin Vulnerabilities

Ninja Forms < 3.14.2 - Contributor+ Sensitive Information Disclosure via Block Editor Token

Description

The plugin is vulnerable to Sensitive Information Exposure via a callback function for the admin_enqueue_scripts action handler in blocks/bootstrap.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to gain access to an authorization token to view form submissions for arbitrary forms, which could potentially contain sensitive information.

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.14.2

References

CVE
CVE-2026-1307
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/df4f4358-af6a-4a1a-bb83-afe31b3cdb9f

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Lucas Montes (NiRoX)
Verified
No
WPVDB ID
3eb8fd04-79e8-439e-a2a6-d90f48fd8598

Timeline

Publicly Published
2026-03-27 (about 1 month ago)
Added
2026-03-30 (about 1 month ago)
Last Updated
2026-03-30 (about 1 month ago)

Other

Published
Title
Published
2025-04-24
Title
Prevent Direct Access – Protect WordPress Files < 2.8.8.1 - Unauthenticated Sensitive Information Exposure
Published
2024-08-08
Title
Linkify Text <= 1.9.1 - Unauthenticated Full Path Disclosure
Published
2026-01-13
Title
LottieFiles – Lottie block for Gutenberg < 3.1.0 - Unauthenticated Sensitive Information Exposure
Published
2024-12-11
Title
Essential Real Estate < 5.1.7 - Missing Authorization to Authenticated (Contributor+) Information Exposure
Published
2025-12-15
Title
Sober < 3.5.12 - Unauthenticated Information Exposure