Volerion logoVolerion
Volerion logoVolerion

Ninja Forms WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Unauthenticated File Deletion

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Ninja Forms WordPress plugin, specifically in versions through 3.12.0. The issue arises from inadequate nonce validation when exporting CSV files, enabling unauthenticated attackers to delete these files by tricking an administrator into clicking a link.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of CSV files exported by the Ninja Forms plugin.

Reproduction

To reproduce this vulnerability, an attacker must exploit the lack of proper nonce validation by convincing an administrator to click a link that triggers the CSV export action without the necessary security token. This can be done by sending a crafted request that exploits the CSRF vulnerability, taking advantage of the administrator's active session.

Remediation

Users are advised to update the Ninja Forms WordPress plugin to version 3.12.1 or later.

Added: Sep 27, 2025, 3:18 AM
Updated: Sep 27, 2025, 3:18 AM

Vulnerability Rating

Custom Algorithm
spread
7.6
impact
0.6
exploitability
7.6
remediation
7.7
relevance
0.6
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.