[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fArKj7JyJCEQ1jP8ZbnfH5pof4gbILyQLKdbY9A7ONyI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-1307","ninja-forms-authenticated-contributor-sensitive-information-disclosure-via-block-editor-token","Ninja Forms \u003C= 3.14.1 - Authenticated (Contributor+) Sensitive Information Disclosure via Block Editor Token","The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.1 via a callback function for the admin_enqueue_scripts action handler in blocks\u002Fbootstrap.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to gain access to an authorization token to view form submissions for arbitrary forms, which could potentially contain sensitive information.","ninja-forms",null,"\u003C=3.14.1","3.14.2","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-03-27 18:10:41","2026-03-28 06:46:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdf4f4358-af6a-4a1a-bb83-afe31b3cdb9f?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Fmin\u002Ffront-end-bundle.js","assets\u002Fjs\u002Fmin\u002Ffront-end.js","assets\u002Fjs\u002Fmin\u002Ffront-end.js.map","blocks\u002Fbootstrap.php","build\u002Ffields.asset.php","build\u002Ffields.js","build\u002Fsub-table-block.asset.php","build\u002Fsub-table-block.js","researched",false,3,"# Exploitation Research Plan - CVE-2026-1307\n\n## 1. Vulnerability Summary\nThe **Ninja Forms** plugin (versions \u003C= 3.14.1) contains a sensitive information disclosure vulnerability. The plugin improperly exposes a cryptographic authorization token to users with **Contributor-level** access and above. This token is intended to grant access to form submission data via the REST API.\n\nThe flaw exists in `blocks\u002Fbootstrap.php` within the `admin_enqueue_scripts` action handler. While the code attempts to restrict token generation to users with specific capabilities, the default or filtered capability requirements in affected versions allow Contributor+ users (who can access the WordPress Block Editor) to receive the token. This token is localized into the global JavaScript object `ninjaFormsViews`, allowing an attacker to use it to retrieve submission data for any form on the site.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `wp-admin\u002Fpost-new.php` (or any block editor page) and the REST API endpoint `wp-json\u002Fninja-forms-submissions\u002Fv1\u002Fsubmissions`.\n- **Preconditions**:\n    - Attacker must have an account with at least `Contributor` privileges.\n    - At least one Ninja Form must exist with submission data.\n- **Leaked Material**: An authorization token generated by `NinjaForms\\Blocks\\Authentication\\TokenFactory`.\n- **Target Sink**: The Ninja Forms Submissions REST API, which accepts the leaked token to bypass standard capability checks for viewing submissions.\n\n## 3. Code Flow\n1. **Entry Point**: A Contributor user accesses `wp-admin\u002Fpost-new.php`.\n2. **Hook Execution**: The `admin_enqueue_scripts` action in `blocks\u002Fbootstrap.php` fires.\n3. **Condition Check**: The code checks `is_block_editor()`. Since Contributor users can create posts, this is true.\n4. **Capability Check (Vulnerable)**: The code checks `current_user_can( $views_capability )`. In vulnerable versions, `$views_capability` (derived from filters) is either not properly enforced or defaults to a capability held by Contributors.\n5. **Token Generation**: `NinjaForms\\Blocks\\Authentication\\TokenFactory::make()->create($publicKey, $allFormIds)` generates a token for all forms.\n6. **Information Disclosure**: `wp_localize_script` attaches the token to the `ninja-forms\u002Fsubmissions-table\u002Fblock` script as the `token` property of the `ninjaFormsViews` object.\n7. **Exploitation**: The attacker extracts `window.ninjaFormsViews.token` and calls the REST API.\n\n## 4. Nonce & Token Acquisition Strategy\nSince the vulnerability *is* the exposure of a token, we must use the browser context to extract it.\n\n1.  **Login**: Log in as a Contributor.\n2.  **Navigation**: Navigate to the \"New Post\" page: `wp-admin\u002Fpost-new.php`.\n3.  **Extraction**: Use `browser_eval` to access the global JS object.\n    - **JS Object**: `window.ninjaFormsViews`\n    - **Key**: `token`\n    - **Execution**: `browser_eval(\"window.ninjaFormsViews?.token\")`\n4.  **Form Discovery**: The `nfFormsBlock` object (also localized in the same file) may contain form IDs.\n    - **Execution**: `browser_eval(\"window.nfFormsBlock?.forms\")`\n\n## 5. Exploitation Strategy\n\n### Step 1: Setup Test Data\n1. Create a Ninja Form (ID 1).\n2. Use WP-CLI to simulate a submission for Form 1.\n3. Create a user `attacker` with the `contributor` role.\n\n### Step 2: Extract Leaked Token\n1. Log in to the WordPress dashboard as `attacker`.\n2. Navigate to `wp-admin\u002Fpost-new.php`.\n3. Extract the token from `window.ninjaFormsViews.token`.\n\n### Step 3: Access Submissions via REST API\n1. Use the leaked token to query the submissions endpoint.\n2. **Request Type**: `GET`\n3. **Endpoint**: `\u002Fwp-json\u002Fninja-forms-submissions\u002Fv1\u002Fsubmissions`\n4. **Parameters**:\n    - `formID`: (e.g., `1`)\n    - `token`: `[LEAKED_TOKEN]`\n5. **Headers**:\n    - `X-WP-Nonce`: Standard REST nonce (can be obtained via `window.wpApiSettings.nonce` in the editor). *Note: The token itself handles authorization for the specific Ninja Forms data.*\n\n### Step 4: Verify Disclosure\n1. The response should be a JSON array containing the fields and values of the submissions for the requested form, which a Contributor normally cannot see.\n\n## 6. Test Data Setup\n```bash\n# 1. Create a form (or use default if plugin creates one)\n# 2. Create a submission for form 1\n# Note: Submissions are stored in 'nf3_submissions' and 'nf3_submission_values' tables\n# It is easier to use a manual HTTP POST to a public form if it exists.\n\n# 3. Create Contributor user\nwp user create attacker attacker@example.com --role=contributor --user_pass=password123\n```\n\n## 7. Expected Results\n- Navigating to the editor as a Contributor reveals a token in the page source\u002FJS scope.\n- `GET \u002Fwp-json\u002Fninja-forms-submissions\u002Fv1\u002Fsubmissions?formID=1&token=\u003CTOKEN>` returns a `200 OK` with sensitive submission data.\n- Without the token, the same request returns `403 Forbidden` or `401 Unauthorized`.\n\n## 8. Verification Steps\n1. **Check API Response**: Verify the JSON contains the string \"submission\" and the values submitted in Step 1.\n2. **Check Capability**: Confirm that a standard `GET \u002Fwp-admin\u002Fedit.php?post_type=nf_sub&form_id=1` results in a permission error for the `attacker` user, proving that the REST API bypass is the only way they accessed the data.\n\n## 9. Alternative Approaches\nIf `ninja-forms\u002Fsubmissions-table\u002Fblock` is not enqueued for some reason:\n- Check if `ninja-forms\u002Fsubmissions-table\u002Frender` is enqueued if a \"Submissions Table\" block is added to a post (even if not published).\n- Attempt to manually enqueue the script if the Contributor has enough permissions to trigger the block loader.\n- If the endpoint differs, check `rest_api_init` in `blocks\u002Fbootstrap.php` (truncated in source) for the exact route path. It is likely `ninja-forms-submissions\u002Fv1`.","gemini-3-flash-preview","2026-04-17 22:32:27","2026-04-17 22:32:53",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.14.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fninja-forms\u002Ftags\u002F3.14.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fninja-forms.3.14.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fninja-forms\u002Ftags\u002F3.14.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fninja-forms.3.14.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fninja-forms\u002Ftags"]