Ninja Forms < 3.14.1 – Unauthenticated Information Disclosure | CVE 2026-2268 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Sensitive Information Exposure due to the unsafe application of the `ninja_forms_merge_tags` filter to user-supplied input within repeater fields, which allows the resolution of `{post_meta:KEY}` merge tags without authorization checks. This makes it possible for unauthenticated attackers to extract arbitrary post metadata from any post on the site, including sensitive data such as WooCommerce billing emails, API keys, private tokens, and customer personal information via the `nf_ajax_submit` AJAX action.

Affects Plugins

Fixed in 3.14.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/24902fab-44ea-44c9-bcf5-70960cfeb402

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

johska

Verified

No

WPVDB ID

b72c539b-4d56-4c54-8b24-fcae0e891e54

Timeline

Publicly Published

2026-02-09 (about 3 months ago)

Added

2026-02-09 (about 3 months ago)

Last Updated

2026-05-11 (about 1 day ago)

Other

Published

Title

Published

2023-12-13

Title

Debug Log Manager < 2.3.0 - Sensitive Logs Exposure

Published

2024-04-22

Title

WP Fusion Lite – Marketing Automation and CRM Integration for WordPress < 3.43.0 - Information Exposure

Published

2024-12-11

Title

WP-NERD Toolkit <= 1.1 - Unauthenticated Information Exposure

Published

2025-12-08

Title

Custom Field Template < 2.7.7 - Authenticated (Subscriber+) Information Exposure

Published

2024-01-05

Title

WP STAGING WordPress Backup Plugin – Migration Backup Restore < 3.2.0 - Unauthorized Sensitive Data Exposure