WordPress Security Bulletin: Ninja Forms – The Contact Form Builder That Grows With You (CVE-2026-1307)

Security Alert Summary

A vulnerability in the Ninja Forms – The Contact Form Builder That Grows With You plugin can expose an authorization token that allows authenticated users with Contributor-level access or higher to view form submissions for arbitrary forms. Those submissions may contain sensitive information. The issue is related to a callback used in the admin_enqueue_scripts action handler in blocks/bootstrap.php.

CVE Details

• CVE ID: CVE-2026-1307
• Affected component: Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress
• Affected versions: All versions up to, and including, 3.14.1
• Published: March 28, 2026 at 7:15:55 AM UTC
• Last modified: March 28, 2026 at 7:15:55 AM UTC
• CVSS v3.1: Base Score 6.5, MEDIUM — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
• Authentication / privileges / user interaction: Requires authentication; privileges required: LOW (Contributor-level and above); user interaction: NONE
• Primary impact: Confidentiality: HIGH; Integrity: NONE; Availability: NONE
• Weakness (CWE): CWE-200 (Information Exposure)

Technical Details

The vulnerability is a Sensitive Information Exposure stemming from a callback function registered for the admin_enqueue_scripts action handler in blocks/bootstrap.php. The callback makes it possible for authenticated users with Contributor-level access or higher to obtain an authorization token that grants the ability to view form submissions for arbitrary forms. The authorization token exposure is the primary root cause described; this allows access to submission data without the intended access checks.

The description identifies the specific file and action handler involved but does not name additional functions or REST endpoints. The impact is limited to disclosure of submission data (confidentiality) and does not indicate any alteration of data or disruption of availability.

How This Could Impact Your Website

Consider a typical small- to medium-sized WordPress site where the site owner has editors and contributors helping manage content. An external contractor or contributor granted Contributor-level access could, due to this issue, obtain an authorization token and view form submissions they should not normally be able to access. Those submissions may include contact details, email addresses, or other sensitive form data submitted by site visitors or staff.

Practical consequences include exposure of internal or user email addresses and increased risk of targeted phishing or social engineering campaigns against staff or customers who appear in form submissions. The issue does not, based on the provided data, indicate the ability to modify submissions or disrupt site availability.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially Contributor-level accounts.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins.
• Monitor site activity and form access logs for unusual behavior or unexpected access tokens.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/changeset/3489168/ninja-forms
• https://www.wordfence.com/threat-intel/vulnerabilities/id/df4f4358-af6a-4a1a-bb83-afe31b3cdb9f?source=cve