CVE-2026-1307 in kstover Ninja Forms Plugin
Summary
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.1 via a callback function for the admin_enqueue_scripts action handler in blocks/bootstrap.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to gain access to an authorization token to view form submissions for arbitrary forms, which could potentially contain sensitive information.
Responsible
Wordfence
Reservation
01/21/2026
Disclosure
03/28/2026
Entries
| Published | Base | Temp | Vulnerability | CWE | Prod | Exp | Cou | EPSS | CTI | CVE |
|---|---|---|---|---|---|---|---|---|---|---|
| 03/28/2026 | 5.4 | 5.3 | kstover Ninja Forms Plugin bootstrap.php admin_enqueue_scripts information disclosure | 200 | WordPress Plugin | Not defined | Not defined | 0.00031 | 0.37 | CVE-2026-1307 |