Marco Lunardi discovered a high-impact vulnerability in Ninja Forms < 3.13.3 that allows unauthenticated remote attackers to generate valid access tokens and fully disclose stored form submissions via exposed REST API endpoints. The issue stems from a complete lack of authentication and authorization checks in the token refresh mechanism, enabling arbitrary enumeration of form IDs and unauthorized access to sensitive user data.