Vulnerability Description
The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the /ninja-forms-submissions/export REST API which can include personally identifiable information.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ninjaforms | Ninja Forms | <= 3.5.7 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/ninja-forms/trunk/includes/Routes/SubPatchThird Party Advisory
- https://www.wordfence.com/blog/2021/09/recently-patched-vulnerabilities-in-ninjaExploitThird Party Advisory
- https://plugins.trac.wordpress.org/browser/ninja-forms/trunk/includes/Routes/SubPatchThird Party Advisory
- https://www.wordfence.com/blog/2021/09/recently-patched-vulnerabilities-in-ninjaExploitThird Party Advisory
FAQ
What is CVE-2021-34647?
CVE-2021-34647 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and i...
How severe is CVE-2021-34647?
CVE-2021-34647 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-34647?
Check the references section above for vendor advisories and patch information. Affected products include: Ninjaforms Ninja Forms.