- Description
- The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the `ninja-forms-views` REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective.
- Source
- security@wordfence.com
- NVD status
- Analyzed
- Products
- ninja_forms
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
- security@wordfence.com
- CWE-639
- Hype score
- Not currently trending
A few weeks ago I found an unauthenticated IDOR vulnerability in Ninja Forms Wordpress plugin (600k+ active installs) and received $1,600 for the report (CVE-2025-11924). Huge thanks to @wordfence for handling it professionally. It’s incredible that such simple bugs still exist
@NiRoXoRiN
5 Jan 2026
95 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-11924 (CVSS:7.5, HIGH) is Awaiting Analysis. The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Obj..https://t.co/oqyViictkU #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
@cracbot
22 Dec 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 HIGH severity alert: Ninja Forms for WordPress exposes sensitive form data due to an authorization bypass (CVE-2025-11924). Patch 3.13.1 is ineffective—restrict REST API access & monitor tokens now! 🔒 Details: https://t.co/yB3ypqjspH... https://t.co/bryVi1ievc
@offseq
17 Dec 2025
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "16FE3FFA-18CE-46B5-8840-137710BBDD56",
"versionEndExcluding": "3.13.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]