CVE-2025-14072

CWE-287 — Improper Authentication4 documents4 sources

Severity

5.3MEDIUM

EPSS

0.0%

top 93.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Ninja Forms Ninjaforms Ninja Forms

Timeline

PublishedJan 2

Description

The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5unknown/ninja_forms< 3.13.3

▶NVDninjaforms/ninja_forms< 3.13.3

🔴Vulnerability Details

GHSA

GHSA-mjh6-7rhf-fhc8: The Ninja Forms WordPress plugin before 3↗2026-01-02

▶

CVEList

Ninja Forms < 3.13.3 - Unauthenticated Token Generation and Submission Disclosure↗2026-01-02

▶

🕵️Threat Intelligence

Wiz

CVE-2025-14072 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶