CVE-2026-15161 in Ninja Forms Plugin
Summary
by MITRE • 07/17/2026
The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.6. This is due to the save_filter() AJAX handler storing the raw $_POST['filter'] array into a WordPress option via update_option() without any capability check, nonce verification, or input sanitization, combined with the get_filter_row() method on the admin Excel Export screen concatenating the stored filter values (field_key, condition, value) directly into HTML attributes without esc_attr(). This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability identified in the Ninja Forms Excel Export plugin represents a critical stored cross-site scripting flaw that undermines the security posture of WordPress installations. This issue affects versions up to and including 3.3.6, where the plugin fails to implement proper security controls during the handling of user input through its AJAX endpoints. The core technical weakness lies in the save_filter() function which directly stores user-supplied data from the $_POST['filter'] array into WordPress options without any form of validation or sanitization. This approach violates fundamental security principles and creates an attack surface that malicious actors can exploit to inject persistent malicious scripts into the application's data storage.
The vulnerability exploitation occurs through a combination of insufficient input validation and improper output escaping mechanisms within the plugin's admin interface. When administrators or users with subscriber-level privileges access the Excel Export screen, the get_filter_row() method retrieves these stored values and incorporates them directly into HTML attributes without proper escaping via esc_attr(). This concatenation pattern creates an environment where malicious scripts can be embedded in field_key, condition, or value parameters and subsequently executed whenever the compromised page is rendered. The attack vector is particularly concerning because it requires only subscriber-level access, which is typically granted to users who can submit forms on a WordPress site, making it accessible to a broad range of potential attackers.
From an operational impact perspective, this vulnerability enables authenticated attackers to establish persistent malicious presence within affected WordPress installations. Once injected, the stored scripts can execute in the context of any user who views pages containing the compromised filter data, potentially leading to session hijacking, credential theft, or further compromise of the affected system. The vulnerability's persistence stems from the fact that stored data remains active until manually removed by administrators, creating a long-term security risk. According to CWE classification, this represents a stored XSS vulnerability (CWE-89) with improper neutralization of input during web output, and aligns with ATT&CK techniques for credential access and persistence through web application vulnerabilities.
The mitigation strategy must address both immediate remediation and long-term security hardening measures. Administrators should immediately update to the latest version of the Ninja Forms Excel Export plugin where this vulnerability has been patched, ensuring that all users are running a secure version. Additionally, implementing proper capability checks and nonce verification in AJAX handlers would prevent unauthorized modifications to stored filter data. The plugin's code should be updated to include input sanitization using WordPress's built-in sanitization functions and output escaping through esc_attr() or similar mechanisms before rendering user-supplied data into HTML attributes. Security monitoring should also be enhanced to detect anomalous patterns in filter data storage, and regular security audits of third-party plugins should be conducted to identify similar vulnerabilities. Organizations should consider implementing web application firewalls to provide additional protection layers against such attacks while maintaining proper access controls and least privilege principles for user accounts.