CVE-2025-11924 is an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Ninja Forms plugin for WordPress, a widely used contact form builder. The vulnerability exists in all versions up to and including 3.13.2. The root cause is the plugin's failure to properly verify that a user is authorized before the `ninja-forms-views` REST API endpoints return form metadata and submission content. This allows unauthenticated attackers to access arbitrary form definitions and submission records if they possess a leaked bearer token and can load any page containing the Submissions Table block. The initial patch released in version 3.13.1 attempted to fix the issue but inadvertently introduced a new REST API endpoint that enables attackers to mint valid bearer tokens for arbitrary form IDs, effectively bypassing the intended authorization controls. The vulnerability can be exploited remotely without any user interaction or privileges, making it highly accessible to attackers. The impact is primarily on confidentiality, as attackers can read sensitive form submission data, which may include personal or confidential information submitted by users. The vulnerability does not affect data integrity or availability. The CVSS v3.1 base score is 7.5, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. No known exploits have been reported in the wild yet, but the vulnerability poses a significant risk given the popularity of Ninja Forms and WordPress. The lack of an effective patch at present increases the urgency for mitigation.

The vulnerability allows attackers to bypass authorization controls and access sensitive form metadata and submission data without authentication. This can lead to exposure of personally identifiable information (PII), confidential business data, or other sensitive user inputs collected via Ninja Forms. Organizations using this plugin risk data breaches that could result in regulatory penalties, loss of customer trust, and reputational damage. Since the exploit requires no privileges or user interaction, it can be automated and scaled to target multiple sites. Attackers could also leverage leaked bearer tokens from other sources to expand their access. Although integrity and availability are not directly impacted, the confidentiality breach alone is critical, especially for organizations handling sensitive or regulated data. The ineffective patch increases the window of exposure, making timely mitigation essential. This vulnerability could be exploited by cybercriminals, espionage actors, or hacktivists targeting organizations with public-facing WordPress sites using Ninja Forms.

1. Immediately upgrade Ninja Forms to a version that fully addresses CVE-2025-11924 once a reliable patch is released by the vendor. 2. Until a secure patch is available, consider disabling or removing the Ninja Forms plugin to eliminate exposure. 3. Restrict access to REST API endpoints related to Ninja Forms using web application firewall (WAF) rules or server-level access controls to block unauthorized requests. 4. Monitor web server and application logs for suspicious access patterns to the `ninja-forms-views` endpoints or unusual bearer token usage. 5. Rotate any leaked bearer tokens and invalidate existing tokens if possible. 6. Implement strict least privilege policies for WordPress users and audit plugin usage regularly. 7. Employ network segmentation and intrusion detection systems to detect and prevent exploitation attempts. 8. Educate site administrators about the risks and signs of exploitation. 9. Review and sanitize form data handling to minimize sensitive data exposure. 10. Maintain regular backups and incident response plans in case of data compromise.