The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information.
History

Wed, 01 Jul 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Kstover
Kstover ninja Forms – The Contact Form Builder That Grows With You
Wordpress
Wordpress wordpress
Vendors & Products Kstover
Kstover ninja Forms – The Contact Form Builder That Grows With You
Wordpress
Wordpress wordpress

Wed, 01 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information.
Title Ninja Forms <= 3.14.1 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via token/refresh REST Endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T10:42:10.311Z

Reserved: 2026-01-20T17:56:47.784Z

Link: CVE-2026-1239

cve-icon Vulnrichment

Updated: 2026-07-01T10:33:28.400Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T14:30:05Z