Ninja Forms WordPress Plugin Sensitive Information Exposure Vulnerability

A vulnerability allowing sensitive information exposure has been identified in the Ninja Forms plugin for WordPress, affecting all versions through 3.14.0. The issue arises from the improper application of the 'ninja_forms_merge_tags' filter to user-supplied input in repeater fields. This flaw enables the resolution of '{post_meta:KEY}' merge tags without proper authorization checks, allowing unauthenticated attackers to access arbitrary post metadata from any post on the site. The exposed data may include sensitive information such as WooCommerce billing emails, API keys, private tokens, and personal customer details, all through the 'nf_ajax_submit' AJAX action.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive post metadata, including personal customer information and private data such as API keys and WooCommerce billing emails.

Reproduction

To reproduce this vulnerability, send a request to the 'nf_ajax_submit' AJAX action with 'formData' that includes a repeater field. The 'post_meta' merge tags in the repeater field will be resolved without authorization, allowing access to sensitive post metadata.

Remediation

Users are advised to update the Ninja Forms plugin to version 3.14.1 or a newer patched version.