CVE-2021-34647 — Incorrect Authorization in Drive Ninja Forms

CWE-863 — Incorrect Authorization CWE-862 — Missing Authorization4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.7%

top 27.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Saturday Drive Ninja Forms Ninjaforms Ninja Forms

Timeline

PublishedSep 22

Latest updateMay 24

Description

The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the /ninja-forms-submissions/export REST API which can include personally identifiable information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDninjaforms/ninja_forms3.5.7

▶CVEListV5saturday_drive/ninja_forms3.5.7 — 3.5.7

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-jgh8-23p9-p5x7: The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Ro↗2022-05-24

▶

CVEList

Ninja Forms <= 3.5.7 Sensitive Information Disclosure↗2021-09-22

▶

VulnCheck

ninjaforms ninja_forms Incorrect Authorization↗2021

▶