CVE-2026-15160 in Ninja Forms Plugininfo

Summary

by MITRE • 07/17/2026

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_tmp_name' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to write .xls/.xlsx files to arbitrary locations on the server, which can be used to stage further attacks.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability in the Ninja Forms - Excel Export plugin represents a critical directory traversal flaw that has been present in all versions up to and including 3.3.6. This issue stems from insufficient input validation and sanitization within the plugin's file handling mechanism, specifically affecting the 'spreadsheet_export_tmp_name' parameter. The flaw allows authenticated attackers who possess subscriber-level privileges or higher to manipulate the file path construction process during Excel export operations.

The technical implementation of this vulnerability occurs when the plugin processes user-supplied data without proper validation, enabling attackers to inject malicious path sequences that bypass normal file system restrictions. When an attacker submits a crafted value for 'spreadsheet_export_tmp_name', the plugin's underlying code fails to properly sanitize or restrict the directory traversal components, allowing arbitrary file creation in unintended server locations. This weakness directly aligns with CWE-22 Directory Traversal and represents a classic path traversal vulnerability that has been consistently exploited across various web applications.

The operational impact of this vulnerability extends beyond simple unauthorized file creation, as it provides attackers with a potential staging ground for more sophisticated attacks. By writing .xls/.xlsx files to arbitrary server locations, authenticated users can establish persistent footholds or create malicious files that may be executed by the web server or exploited through subsequent vulnerabilities in the application stack. This capability significantly increases the attack surface and allows for privilege escalation scenarios where attackers can manipulate the web application's file system to compromise other components.

Security professionals should note that this vulnerability demonstrates poor input validation practices and highlights the importance of implementing proper access controls and file path sanitization within WordPress plugins. Organizations using affected versions should immediately implement mitigation strategies including plugin updates, network segmentation, and monitoring for unauthorized file creation activities. The ATT&CK framework categorizes this as a privilege escalation technique through file system manipulation, where attackers leverage directory traversal to establish persistent access and potentially escalate privileges within the web application environment.

Mitigation measures include applying the latest plugin updates from the vendor, implementing proper input validation on all user-supplied parameters, restricting file system permissions for WordPress directories, and deploying web application firewalls that can detect and block malicious path traversal attempts. Additionally, administrators should review user permissions and implement principle of least privilege access controls to minimize the potential impact of such vulnerabilities. The vulnerability underscores the critical need for comprehensive security testing of third-party plugins and regular security audits of WordPress installations to prevent similar issues from compromising system integrity.

Responsible

Wordfence

Reservation

07/08/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00459

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!