PT-2026-54501 · Kstover · Ninja Forms – The Contact Form Builder That Grows With You

Suyoung Kim

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-1239

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-1239

Affected Products

Ninja Forms – The Contact Form Builder That Grows With You