Platform
wordpress
Component
ninja-forms
Fixed in
3.14.2
CVE-2026-1307 is an Information Disclosure vulnerability affecting the Ninja Forms WordPress plugin. This vulnerability allows authenticated attackers with Contributor-level access or higher to access an authorization token, potentially exposing sensitive information within form submissions. This impacts Ninja Forms versions 3.14.1 and earlier. The vulnerability is fixed in version 3.14.2.
CVE-2026-1307 in Ninja Forms exposes sensitive information. Authenticated attackers with Contributor-level access or higher can obtain an authorization token, allowing them to view submissions for arbitrary forms. This is particularly concerning if these forms contain Personally Identifiable Information (PII), financial data, or other confidential information. The risk lies in an attacker, once inside the system, being able to access data that shouldn't be available, compromising user privacy and the integrity of stored information. The ease of exploitation, given the need for an authenticated user with a relatively low access level, increases the likelihood of a successful attack. The nature of the vulnerability, residing in a callback function, suggests it might be difficult to detect and mitigate without a plugin update.
An attacker with Contributor or higher access on a WordPress site using Ninja Forms can exploit this vulnerability. The attacker could, for example, create a form with fields requesting sensitive information, such as credit card numbers or personal details. Subsequently, utilizing the vulnerability, the attacker could obtain the authorization token and access submissions for that form, gaining access to the confidential information. Exploitation does not require advanced technical skills, increasing the risk of attacks by users with limited abilities. The vulnerability resides within the plugin's code, meaning a WordPress core update will not resolve it.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation for CVE-2026-1307 is to update Ninja Forms to version 3.14.2 or higher. This update directly addresses the vulnerability by correcting the authorization token handling within the adminenqueuescripts function in blocks/bootstrap.php. In the interim, as a temporary measure, restrict user privileges to those who genuinely require them. Regularly auditing installed plugins and keeping WordPress updated also contributes to improved security. Additionally, review Ninja Forms plugin permission settings to ensure only authorized users have access to sensitive form information.
Update to version 3.14.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
An authorization token is a unique code that allows a user or application to access protected resources. In this case, it allows viewing form submissions.
In WordPress, 'Contributor' is a user role with limited privileges. They can publish and manage their own posts but do not have access to site configuration.
No, it is not safe. CVE-2026-1307 represents a significant security risk to your website and user information. Updating to version 3.14.2 or higher is essential.
In the WordPress admin dashboard, go to 'Plugins' and look for 'Ninja Forms'. The current version will be displayed below the plugin name.
If you suspect your site has been compromised, immediately change all user passwords, perform a full site backup, and consider consulting a web security professional.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.