Volerion logoVolerion
Volerion logoVolerion

Ninja Forms WordPress Plugin Cross-Site Request Forgery Vulnerability

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Ninja Forms WordPress plugin, specifically in versions through 3.12.0. The issue arises from inadequate nonce validation in the 'maybe_opt_in' function, allowing unauthenticated attackers to manipulate usage statistics collection. Exploitation requires tricking a site administrator into clicking a link that initiates the forged request.

Impact

Exploitation of this vulnerability allows for unauthorized modification of plugin settings, specifically opting a site into usage statistics collection without the administrator's consent.

Remediation

Users can update to Ninja Forms version 3.12.1 or a later patched version to address this vulnerability.

Added: Sep 27, 2025, 3:20 AM
Updated: Sep 27, 2025, 3:20 AM

Vulnerability Rating

Custom Algorithm
spread
7.6
impact
0.6
exploitability
7.2
remediation
7.7
relevance
0.6
threat
3.2
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.