CVE-2025-11924: CWE-639 Authorization Bypass Through User-Controlled Key in kstover Ninja Forms – The Contact Form Builder That Grows With You
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the `ninja-forms-views` REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective.
AI Analysis
Technical Summary
CVE-2025-11924 is an authorization bypass vulnerability in the Ninja Forms WordPress plugin (versions up to 3.13.2). The plugin fails to properly verify user authorization before exposing form metadata and submission data via the `ninja-forms-views` REST endpoints. Attackers with a leaked bearer token can read arbitrary form definitions and submissions if they can load a page containing the Submissions Table block. A patch released in version 3.13.1 intended to fix this issue was ineffective because it introduced a REST API endpoint that allowed minting bearer tokens for arbitrary form IDs, thus not resolving the authorization bypass.
Potential Impact
The vulnerability allows unauthorized disclosure of sensitive form data and submission records, potentially exposing confidential user information. The ineffective patch means the risk persists in versions up to and including 3.13.2. There are no known exploits in the wild as of the published date. The CVSS score of 7.5 indicates a high severity impact with network attack vector, no privileges or user interaction required, and high confidentiality impact.
Mitigation Recommendations
No official patch or fix is currently available as per the provided data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a proper fix is released, users should consider restricting access to pages containing the Submissions Table block and protect bearer tokens carefully to prevent leakage. Monitor vendor communications for updates on an effective patch.
CVE-2025-11924: CWE-639 Authorization Bypass Through User-Controlled Key in kstover Ninja Forms – The Contact Form Builder That Grows With You
Description
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the `ninja-forms-views` REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-11924 is an authorization bypass vulnerability in the Ninja Forms WordPress plugin (versions up to 3.13.2). The plugin fails to properly verify user authorization before exposing form metadata and submission data via the `ninja-forms-views` REST endpoints. Attackers with a leaked bearer token can read arbitrary form definitions and submissions if they can load a page containing the Submissions Table block. A patch released in version 3.13.1 intended to fix this issue was ineffective because it introduced a REST API endpoint that allowed minting bearer tokens for arbitrary form IDs, thus not resolving the authorization bypass.
Potential Impact
The vulnerability allows unauthorized disclosure of sensitive form data and submission records, potentially exposing confidential user information. The ineffective patch means the risk persists in versions up to and including 3.13.2. There are no known exploits in the wild as of the published date. The CVSS score of 7.5 indicates a high severity impact with network attack vector, no privileges or user interaction required, and high confidentiality impact.
Mitigation Recommendations
No official patch or fix is currently available as per the provided data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a proper fix is released, users should consider restricting access to pages containing the Submissions Table block and protect bearer tokens carefully to prevent leakage. Monitor vendor communications for updates on an effective patch.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-17T18:54:25.934Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 694254ebbd21432f8e5297b8
Added to database: 12/17/2025, 6:59:55 AM
Last enriched: 4/9/2026, 4:00:20 PM
Last updated: 5/10/2026, 10:31:40 AM
Views: 217
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.