CVE-2026-2268

Name of the Vulnerable Software and Affected Versions Ninja Forms versions prior to 3.14.1

Description The Ninja Forms plugin for WordPress is susceptible to Sensitive Information Exposure in versions up to and including 3.14.0. This occurs because the ninja forms merge tags filter is applied unsafely to user-provided input within repeater fields, allowing the resolution of {post meta:KEY} merge tags without proper authorization. This enables unauthenticated attackers to retrieve arbitrary post metadata from any post on the site. The issue is exploitable via the nf ajax submit API endpoint and can expose sensitive data like WooCommerce billing emails, API keys, private tokens, and customer personal information.

Recommendations Update Ninja Forms to version 3.14.1 or later.