High Severity Vulnerabilities Found in Ninja Forms Plugin

Ninja Forms [1] [2] [3] [4], a popular forms builder plugin for WordPress [1], has recently been found to have multiple high-severity vulnerabilities. This poses a significant risk to the security of websites using this plugin.


The first vulnerability [1] [2] [3] [4], known as CVE-2023-37979, is a reflected Cross-Site Scripting (XSS) flaw [1] [4]. This flaw allows unauthorized users to escalate privileges and steal sensitive information [2]. Fortunately, this vulnerability has been addressed in version 3.6.26 of the plugin [1].

The second and third vulnerabilities involve broken access control on the form submissions export feature [1] [3] [4]. This flaw allows certain users to export all Ninja Forms submissions [1], regardless of their access privileges [1]. These vulnerabilities have been assigned CVE-2023-38393 and CVE-2023-38386 respectively [4]. Like the first vulnerability [1] [3] [4], they have also been resolved in version 3.6.26 [4].

Unfortunately, it has been reported that only about half of all Ninja Forms users have downloaded the latest release. This means that approximately 400,000 sites are still vulnerable to these security risks. To protect their websites, website admins using the Ninja Forms plugin are strongly advised to update to version 3.6.26 or later. Alternatively, they can disable the plugin until the patch can be applied [2].

In light of these vulnerabilities, it is important to exercise caution when calling certain functions or classes from user-supplied strings within plugin or theme code [4]. It is crucial to check and restrict the user’s ability to directly call specific functions or classes [4]. Additionally, implementing permission or access control checks when performing an export data action is highly recommended [4].


The discovery of these vulnerabilities highlights the urgent need for prompt action to address security risks and protect WordPress sites. Users of Ninja Forms are strongly urged to update their plugins to version 3.6.26 or later to safeguard their websites [4]. Failure to do so could leave their sites vulnerable to unauthorized access and data theft. It is essential to prioritize website security and take proactive measures to mitigate potential risks in the future.


[1] https://www.infosecurity-magazine.com/news/high-severity-flaws-ninja-forms/
[2] https://lbttechgroup.com/index.php/blog/wordpress-ninja-forms-plugin-flaw-lets-hackers-steal-submitted-data
[3] https://patchstack.com/articles/multiple-high-severity-vulnerabilities-in-ninja-forms-plugin/
[4] https://cybersecurity-see.com/high-severity-vulnerabilities-found-in-ninja-forms-plugin/