WordPress Plugin Vulnerabilities

Ninja Forms < 3.6.26 - Contributor+ Form Entries Export

Description

The plugin does not have proper authorisation check in the export_listen function, which could allow Contributors and above roles to export and download submitted form entries

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.6.26

References

CVE
CVE-2023-38386

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
92c13556-4fe9-41f8-84c5-0f218a1bc73d

Timeline

Publicly Published
2023-07-25 (about 2 years ago)
Added
2023-07-29 (about 2 years ago)
Last Updated
2023-07-29 (about 2 years ago)

Other

Published
Title
Published
2024-05-03
Title
Swift Framework <= 2.7.31 - Missing Authorization to Unauthenticated Arbitrary Content Update
Published
2024-04-29
Title
ACF On-The-Go <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Update
Published
2024-10-24
Title
WP Booking System < 2.0.19.11 - Missing Authorization via wpbs_refresh_calendar_editor
Published
2025-04-09
Title
Woo Product Feed For Marketing Channels <= 1.9.0 - Missing Authorization
Published
2025-11-22
Title
Timetics < 1.0.45 - Missing Authorization