WordPress Plugin Vulnerabilities

Ninja Forms < 3.6.26 - Subscriber+ Form Entries Export

Description

The plugin does not have proper authorisation check in the processing function, which could allow any authenticated users, such as subscriber to export and download submitted form entries

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.6.26

References

CVE
CVE-2023-38393

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
81998700-78f5-4e4d-9186-2ed1433dee0a

Timeline

Publicly Published
2023-07-25 (about 2 years ago)
Added
2023-07-29 (about 2 years ago)
Last Updated
2023-07-29 (about 2 years ago)

Other

Published
Title
Published
2025-11-07
Title
Contact Form 7 AWeber Extension < 0.1.43 - Missing Authorization to Authenticated (Subscriber+) Log Reset
Published
2026-03-20
Title
Appmax <= 1.0.3 - Order Status Manipulation and Arbitrary Order Creation
Published
2025-05-16
Title
Rozario <= 1.4 - Missing Authorization
Published
2024-04-25
Title
Vitepos < 3.0.2 - Missing Authorization
Published
2025-12-15
Title
LA-Studio Element Kit for Elementor < 1.5.6.3 - Missing Authorization