CVE-2025-11924

HIGH EXPLOITED

Ninja Forms < 3.13.2 - Unauthenticated Insecure Direct Object Reference via REST Endpoint

Title source: llm

Exploitation Summary

CVE-2025-11924 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the `ninja-forms-views` REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective.

References (2)

Core 2

Core References

Patch

https://plugins.trac.wordpress.org/changeset/3415563/ninja-forms

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/4240cdae-9122-443e-8a7e-3369e74384be?source=cve

Scores

CVSS v3 7.5

EPSS 0.0036

EPSS Percentile 28.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2025-12-17

CWE

CWE-639

Status published

Products (2)

kstover/Ninja Forms – The Contact Form Builder That Grows With You < 3.13.2

ninjaforms/ninja_forms < 3.13.1

Published Dec 17, 2025

Tracked Since Feb 18, 2026