PT-2026-60709 · Saturday Drive · Ninja Forms - Excel Export

CVE-2026-15161

·

Published

2026-07-17

·

Updated

2026-07-17

CVSS v3.1

6.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.6. This is due to the save filter() AJAX handler storing the raw $ POST['filter'] array into a WordPress option via update option() without any capability check, nonce verification, or input sanitization, combined with the get filter row() method on the admin Excel Export screen concatenating the stored filter values (field key, condition, value) directly into HTML attributes without esc attr(). This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15161

Affected Products

Ninja Forms - Excel Export