WordPress Plugin Vulnerabilities

Ninja Forms < 3.13.3 - Unauthenticated Token Generation and Submission Disclosure

Description

The plugin allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions.

Proof of Concept

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.13.3

References

CVE
CVE-2025-14072

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Marco Lunardi
Submitter
Marco Lunardi
Verified
Yes
WPVDB ID
4b19a333-eb19-4903-aa96-1fe871dd0f9f

Timeline

Publicly Published
2025-12-12 (about 21 days ago)
Added
2025-12-12 (about 20 days ago)
Last Updated
2025-12-12 (about 20 days ago)

Other

Published
Title
Published
2016-03-22
Title
OptinMonster <= 1.1.4.5 - Execution of Arbitrary Shortcodes
Published
2025-03-06
Title
WPCOM Member < 1.7.6 - Authentication Bypass via 'user_phone'
Published
2016-07-19
Title
Form Lightbox - Arbitrary Option Update Leading to Admin Account
Published
2024-03-22
Title
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder < 1.15.23 - Sensitive Information Exposure
Published
2024-10-14
Title
WP 2FA with Telegram < 3.1 - Two-Factor Authentication Bypass