CVE-2025-11924
📋 TL;DR
This vulnerability allows unauthenticated attackers to read arbitrary form definitions and submission records in Ninja Forms WordPress plugin. Attackers can exploit this using leaked bearer tokens from pages containing the Submissions Table block. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Ninja Forms - The Contact Form Builder That Grows With You
📦 What is this software?
Ninja Forms by Ninjaforms
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all form submissions containing sensitive user data (PII, payment info, credentials) leading to data breach, regulatory fines, and reputational damage.
Likely Case
Unauthorized access to form submissions containing personal information, potentially violating privacy regulations and exposing sensitive business data.
If Mitigated
Limited exposure if proper access controls, network segmentation, and monitoring are in place to detect unauthorized API calls.
🎯 Exploit Status
Exploitation requires obtaining a leaked bearer token from pages containing the Submissions Table block, but the actual API access is unauthenticated once token is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.13.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3415563/ninja-forms
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Ninja Forms plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 3.13.3+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable REST API endpoints
allTemporarily disable the vulnerable ninja-forms-views REST endpoints using WordPress filters
Add to theme's functions.php or custom plugin: add_filter('rest_endpoints', function($endpoints){ foreach($endpoints as $route => $endpoint){ if(strpos($route, 'ninja-forms-views') !== false){ unset($endpoints[$route]); } } return $endpoints; });
Remove Submissions Table blocks
allRemove all instances of Submissions Table block from pages/posts to prevent token leakage
Manually edit each page/post containing Submissions Table block and remove the block
🧯 If You Can't Patch
- Implement strict network access controls to restrict access to WordPress REST API endpoints
- Deploy WAF rules to block suspicious requests to ninja-forms-views endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Ninja Forms → Version. If version is 3.13.2 or earlier, system is vulnerable.Check Version:
wp plugin list --name=ninja-forms --field=version (WP-CLI) or check WordPress admin panelVerify Fix Applied:
After updating, verify version is 3.13.3 or later. Test that unauthorized requests to /wp-json/ninja-forms-views/ endpoints return proper authentication errors.📡 Detection & Monitoring
Log Indicators:
- Multiple 200/403 responses to /wp-json/ninja-forms-views/ endpoints from unauthenticated users
- Unusual access patterns to form submission data
Network Indicators:
- HTTP GET requests to /wp-json/ninja-forms-views/ endpoints without proper authentication headers
- Traffic spikes to REST API endpoints
SIEM Query:
source="web_logs" AND uri_path="/wp-json/ninja-forms-views/*" AND (response_code=200 OR response_code=403) AND user_agent NOT CONTAINS "bot" | stats count by src_ip