CVE-2025-14072
Ninja Forms < 3.13.3 - Unauthenticated Token Generation and Submission Disclosure
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
02 Jan 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
Unknown · Ninja Forms