The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information.
Metrics
Affected Vendors & Products
References
History
Wed, 01 Jul 2026 14:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Kstover
Kstover ninja Forms – The Contact Form Builder That Grows With You Wordpress Wordpress wordpress |
|
| Vendors & Products |
Kstover
Kstover ninja Forms – The Contact Form Builder That Grows With You Wordpress Wordpress wordpress |
Wed, 01 Jul 2026 12:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 06:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information. | |
| Title | Ninja Forms <= 3.14.1 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via token/refresh REST Endpoint | |
| Weaknesses | CWE-862 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-01T10:42:10.311Z
Reserved: 2026-01-20T17:56:47.784Z
Link: CVE-2026-1239
Updated: 2026-07-01T10:33:28.400Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-01T14:30:05Z