CVE-2025-11924 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Ninja Forms WordPress plugin, a widely used contact form builder. The vulnerability exists because the plugin's 'ninja-forms-views' REST API endpoints do not properly verify user authorization before returning form metadata and submission content. This flaw allows unauthenticated attackers who possess a leaked bearer token to retrieve arbitrary form definitions and submission records. The issue is compounded by a flawed patch released in version 3.13.1, which inadvertently introduced a REST API endpoint enabling attackers to mint valid bearer tokens for any form ID, effectively bypassing the intended fix. The vulnerability affects all versions up to and including 3.13.2. The CVSS 3.1 base score is 7.5 (high), reflecting network attack vector, no privileges required, no user interaction, and high confidentiality impact. The vulnerability does not affect integrity or availability but poses a significant risk of sensitive data exposure. No known exploits have been reported in the wild yet, but the ease of exploitation and the potential for data leakage make this a critical concern for organizations relying on Ninja Forms for data collection.

For European organizations, this vulnerability poses a significant risk of unauthorized disclosure of sensitive personal data collected via Ninja Forms, including contact details, personal identifiers, and potentially sensitive submission content. This can lead to violations of GDPR and other data protection regulations, resulting in legal penalties and reputational damage. Organizations in sectors such as healthcare, finance, education, and government, which often use WordPress-based websites with contact forms, are particularly vulnerable. The exposure of confidential form submissions can facilitate further attacks such as phishing, social engineering, or identity theft. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad. The ineffective patch increases the risk window, as organizations may believe they are protected when they are not. The lack of known exploits currently provides a limited window for proactive mitigation before potential exploitation.

1. Immediately verify the version of Ninja Forms in use and avoid versions up to and including 3.13.2. 2. Monitor official Ninja Forms and WordPress security advisories for a corrected patch that fully addresses the vulnerability without introducing token minting issues, and apply it promptly once available. 3. Restrict access to the 'ninja-forms-views' REST API endpoints by implementing IP whitelisting or authentication requirements at the web server or application firewall level. 4. Audit and rotate any potentially leaked bearer tokens to prevent unauthorized access. 5. Implement logging and monitoring for unusual API requests targeting Ninja Forms endpoints to detect exploitation attempts early. 6. Consider temporarily disabling the Submissions Table block or the REST API endpoints related to Ninja Forms if immediate patching is not possible. 7. Educate web administrators about the risks of using bearer tokens and the importance of secure token management. 8. Conduct a thorough review of stored form submissions for signs of unauthorized access or data exfiltration. 9. Employ web application firewalls (WAFs) with custom rules to block suspicious REST API calls related to Ninja Forms. 10. Ensure regular backups of website data to enable recovery in case of compromise.