CVE-2026-15159 in Ninja Forms Plugin
Summary
by MITRE • 07/17/2026
The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_form_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate any Ninja Forms form ID and download all stored submission data — including names, email addresses, phone numbers, physical addresses, and any other PII collected by site forms — as a downloadable XLSX file.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability identified in the Ninja Forms - Excel Export plugin represents a critical security flaw that undermines the integrity of user data protection within WordPress environments. This issue manifests as an insecure direct object reference vulnerability affecting all versions through 3.3.6, where the plugin fails to properly validate user-controlled input parameters. The specific parameter 'spreadsheet_export_form_id' serves as the entry point for exploitation, allowing unauthorized access to form data that should remain protected. The vulnerability's classification aligns with CWE-639 which specifically addresses insecure direct object references in applications where access control is improperly implemented.
The technical implementation of this flaw stems from inadequate input validation mechanisms within the plugin's export functionality. When authenticated users submit requests containing the spreadsheet_export_form_id parameter, the system processes these inputs without sufficient verification of user permissions or form ownership. This oversight enables attackers with subscriber-level privileges to manipulate the parameter values and gain access to forms they should not be able to view or export. The vulnerability operates at the application layer where proper authorization checks are missing, allowing for arbitrary form enumeration and data extraction.
The operational impact of this vulnerability extends beyond simple data exposure, as it provides attackers with comprehensive access to sensitive personal information collected through WordPress forms. Subscribers can exploit this weakness to download complete submission datasets including names, email addresses, phone numbers, physical addresses, and any other personally identifiable information gathered by the site's forms. This creates significant privacy risks for both website administrators and their users, potentially exposing individuals to identity theft, spam campaigns, and other malicious activities. The threat is particularly concerning because it requires minimal privileges to exploit, making it accessible to users who normally have limited access rights within the system.
Security mitigation strategies should focus on implementing proper input validation and access control mechanisms within the plugin's codebase. Developers must ensure that all user-controlled parameters undergo rigorous validation before processing, with explicit checks confirming that the requesting user has legitimate authorization to access the specified form data. The solution involves implementing robust authorization controls that verify user permissions against requested resources, preventing unauthorized enumeration of forms through parameter manipulation. This aligns with ATT&CK technique T1213 which addresses data from information repositories and emphasizes the importance of proper access controls in preventing unauthorized data access. Organizations should also consider implementing additional monitoring mechanisms to detect unusual export activity patterns and establish regular security audits to identify similar vulnerabilities across their WordPress installations.