CVE-2025-11924 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Ninja Forms plugin for WordPress, versions up to and including 3.13.2. The vulnerability stems from the plugin's failure to properly verify user authorization before returning form metadata and submission content via the `ninja-forms-views` REST API endpoints. This improper access control allows unauthenticated attackers to retrieve arbitrary form definitions and submission records if they possess or can obtain a leaked bearer token. The initial patch released in version 3.13.1 attempted to fix this issue but inadvertently introduced a new REST API endpoint that allows minting of valid bearer tokens for arbitrary form IDs, effectively bypassing the intended fix. The vulnerability is remotely exploitable without requiring authentication or user interaction, making it highly accessible to attackers. The impact is primarily on confidentiality, as attackers can access sensitive form submission data, potentially including personal or confidential information submitted by users. The CVSS v3.1 score is 7.5 (high), reflecting the ease of exploitation and the significant confidentiality impact. No known exploits are currently reported in the wild, but the vulnerability's nature and accessibility make it a critical concern for sites using this plugin. The plugin is widely used in WordPress environments, which are prevalent across many European organizations for web presence and customer interaction.

The primary impact of CVE-2025-11924 is unauthorized disclosure of sensitive information submitted through Ninja Forms on WordPress sites. European organizations using this plugin to collect user data—such as contact details, feedback, or other personal information—face risks of data breaches that could violate GDPR and other privacy regulations. Exposure of form submissions can lead to reputational damage, regulatory fines, and loss of customer trust. Since the vulnerability allows remote, unauthenticated access to form data, attackers can exploit it at scale, potentially targeting multiple organizations. The lack of integrity or availability impact reduces the risk of service disruption but does not diminish the severity of confidentiality loss. Organizations in sectors such as finance, healthcare, education, and government, which often collect sensitive data via web forms, are particularly vulnerable. Additionally, the ease of exploitation and the plugin’s popularity increase the likelihood of targeted or opportunistic attacks within Europe.

1. Immediately monitor for updates from the Ninja Forms plugin developer and apply patches once a fully effective fix is released, as the current patch (3.13.1) is ineffective. 2. Temporarily restrict access to the `ninja-forms-views` REST API endpoints by implementing web application firewall (WAF) rules or server-level access controls to limit requests to authenticated and authorized users only. 3. Audit and rotate any bearer tokens or API keys associated with Ninja Forms to prevent misuse of leaked or minted tokens. 4. Implement strict logging and monitoring of REST API access patterns to detect unusual or unauthorized access attempts. 5. Review and minimize the exposure of sensitive form data stored or transmitted by the plugin, including encrypting stored submissions where possible. 6. Educate site administrators on the risks of installing plugins without timely updates and encourage regular security assessments of WordPress environments. 7. Consider temporarily disabling the Ninja Forms plugin or replacing it with alternative contact form solutions until a secure version is available.