CVE-2021-34647 MEDIUM

CVE-2021-34647: Ninja Forms <= 3.5.7 Sensitive Information Disclosure

Vendor Saturday Drive

Product Ninja Forms

Weakness CWE-863 · Incorrect authorization

Published September 22, 2021

Last update March 31, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the /ninja-forms-submissions/export REST API which can include personally identifiable information.

Key dates

02Disclosure timeline

September 22, 2021 CVE published

March 31, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-34647

Related vulnerabilities

04Related CVE

CVE-2024-5816 Improper authorization allows persistent access in GitHub Enterprise Server CVE-2024-43131 WordPress Docket (WooCommerce Collections / Wishlist / Watchlist) plugin < 1.7.0 - Unauthenticated Arbitrary Post/Page Deletion vulnerability CVE-2025-48044 Authorization bypass when bypass policy condition evaluates to true CVE-2024-4146 Incorrect Authorization in lunary-ai/lunary CVE-2026-33330 FileRise ONLYOFFICE integration allows read-only users to overwrite files via forged save callback