cbcvebase.
CVE-2025-10498
published 2025-09-27

CVE-2025-10498: The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and…

PriorityP424medium5.4CVSS 3.1
AVNACLPRNUIRSUCNILAL
EPSS
0.15%
4.7th percentile
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation when exporting CSV files. This makes it possible for unauthenticated attackers to delete those files granted they can trick an administrator into performing an action such as clicking on a link.

Affected

2 ranges
VendorProductVersion rangeFixed in
kstoverninja_forms_the_contact_form_builder_that_grows_with_you<= 3.12.0
ninjaformsninja_forms< 3.12.13.12.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.