October 2, 2023

Researchers have identified multiple vulnerabilities in the Ninja Forms plugin for WordPress that have more than 900,000 active installations, mainly using to create any type of form, including contact forms and payment forms.

The vulnerabilities tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393 can be exploited by threat actors to escalate privileges and steal sensitive data.

The first vulnerability, tracked as CVE-2023-37979, is a POST-based reflected XSS that can be exploited by an unauthenticated user to steal sensitive information and perform privilege escalation on the WordPress site. The attacker can trigger the issue by tricking privileged users into visiting a crafted website.


The second and third vulnerabilities, tracked as CVE-2023-38393 and CVE-2023-38386, are a broken access control on form submissions export feature. Subscriber and Contributor role user can exploit the flaws to export all of the Ninja Forms submissions on a WordPress site.

The vulnerabilities were addressed with the release of version 3.6.26.

Below is the timeline for the above issues:

  • 22 June 2023 – The vulnerability has been identified, and the plugin vendor notified.
  • 04 July 2023 – Ninja Forms version 3.6.26 was published to patch the reported issue.
  • 25 July 2023 – Added the vulnerabilities to the Patchstack vulnerability database.
  • 27 July 2023 – Security advisory article released.

Leave a Reply

%d bloggers like this: