CVE-2026-2268: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in kstover Ninja Forms – The Contact Form Builder That Grows With You
The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.0. This is due to the unsafe application of the `ninja_forms_merge_tags` filter to user-supplied input within repeater fields, which allows the resolution of `{post_meta:KEY}` merge tags without authorization checks. This makes it possible for unauthenticated attackers to extract arbitrary post metadata from any post on the site, including sensitive data such as WooCommerce billing emails, API keys, private tokens, and customer personal information via the `nf_ajax_submit` AJAX action.
AI Analysis
Technical Summary
CVE-2026-2268 is a sensitive information exposure vulnerability in the Ninja Forms WordPress plugin (up to version 3.14.0). The issue arises from the unsafe application of the ninja_forms_merge_tags filter to user-supplied input within repeater fields, which allows unauthenticated attackers to resolve {post_meta:KEY} merge tags without authorization checks. This enables attackers to extract arbitrary post metadata, including sensitive data such as WooCommerce billing emails, API keys, private tokens, and customer personal information, through the nf_ajax_submit AJAX action. The vulnerability has a CVSS 3.1 score of 7.5 (high severity) and is identified as CWE-200.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to access sensitive information stored as post metadata on the affected WordPress site. This includes potentially sensitive customer data and secret tokens, which could lead to privacy violations and further security risks if leveraged in subsequent attacks. There is no indication of impact on integrity or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider disabling or restricting access to the nf_ajax_submit AJAX action or limiting the use of repeater fields that utilize the ninja_forms_merge_tags filter. Monitor vendor channels for updates and apply patches promptly once released.
CVE-2026-2268: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in kstover Ninja Forms – The Contact Form Builder That Grows With You
Description
The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.0. This is due to the unsafe application of the `ninja_forms_merge_tags` filter to user-supplied input within repeater fields, which allows the resolution of `{post_meta:KEY}` merge tags without authorization checks. This makes it possible for unauthenticated attackers to extract arbitrary post metadata from any post on the site, including sensitive data such as WooCommerce billing emails, API keys, private tokens, and customer personal information via the `nf_ajax_submit` AJAX action.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-2268 is a sensitive information exposure vulnerability in the Ninja Forms WordPress plugin (up to version 3.14.0). The issue arises from the unsafe application of the ninja_forms_merge_tags filter to user-supplied input within repeater fields, which allows unauthenticated attackers to resolve {post_meta:KEY} merge tags without authorization checks. This enables attackers to extract arbitrary post metadata, including sensitive data such as WooCommerce billing emails, API keys, private tokens, and customer personal information, through the nf_ajax_submit AJAX action. The vulnerability has a CVSS 3.1 score of 7.5 (high severity) and is identified as CWE-200.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to access sensitive information stored as post metadata on the affected WordPress site. This includes potentially sensitive customer data and secret tokens, which could lead to privacy violations and further security risks if leveraged in subsequent attacks. There is no indication of impact on integrity or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider disabling or restricting access to the nf_ajax_submit AJAX action or limiting the use of repeater fields that utilize the ninja_forms_merge_tags filter. Monitor vendor channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-09T20:41:21.736Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 698afe6e4b57a58fa1f90114
Added to database: 2/10/2026, 9:46:22 AM
Last enriched: 4/9/2026, 10:03:40 PM
Last updated: 5/11/2026, 3:18:20 AM
Views: 156
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.