What the vulnerability does
01Description
The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.0. This is due to the unsafe application of the `ninja_forms_merge_tags` filter to user-supplied input within repeater fields, which allows the resolution of `{post_meta:KEY}` merge tags without authorization checks. This makes it possible for unauthenticated attackers to extract arbitrary post metadata from any post on the site, including sensitive data such as WooCommerce billing emails, API keys, private tokens, and customer personal information via the `nf_ajax_submit` AJAX action.
Explanation of Vulnerability in Simple Terms
02Summary
Ninja Forms versions 3.14.0 and earlier expose sensitive information that can be accessed over the network without authentication. An attacker can read data that should be restricted, such as form submissions, user details, or configuration information. No user interaction is required. Update to a version newer than 3.14.0 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read sensitive form data, user information, or plugin configuration without logging in.
Potential impact on your site
04Site Impact
Visitor and customer data submitted through Ninja Forms may be exposed to unauthorized access.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
February 10, 2026
CVE published
April 8, 2026
Record updated
