CVE-2021-34647

Name of the Vulnerable Software and Affected Versions: Ninja Forms WordPress plugin versions up to and including 3.5.7

Description: The issue allows authenticated attackers to export all Ninja Forms submissions data via the "/ninja-forms-submissions/export" REST API, which can include personally identifiable information. This is due to sensitive information disclosure via the bulk export submissions function found in the ~/includes/Routes/Submissions.php file.

Recommendations: For versions up to and including 3.5.7, update to a version later than 3.5.7 to resolve the issue. As a temporary workaround, consider restricting access to the /ninja-forms-submissions/export REST API endpoint until a patch is available. Avoid using the bulk export submissions function in the affected versions until the issue is resolved.