Ninja Forms v3.6.26 Fixes Multiple High Severity Security Issues

Ninja Forms Plugin: Multiple High Severity Security Vulnerabilities Patched

If you use the Ninja Forms plugin and your sites aren’t set to get automatic plugin updates, add a round of updates to your weekend plans. Patchstack is reporting multiple high severity security vulnerabilities in the plugin, including the following:

1. POST-based reflected XSS (7.6 CVSS 3.1 score)

2. Broken access control on form submissions export feature that allows Subscriber and Contributor role users to export all of the Ninja Forms submissions on a WordPress site (7.6 CVSS 3.1 score)

Patchstack researchers discovered the vulnerabilities on June 22, 2023, and Ninja Forms patched them on July 4, 2023. The security advisory was publicly released on July 27, 2023.

The plugin’s changelog for version 3.6.26 transparently identifies the security fixes included in the release:

“Security Enhancements:

– Prevent unauthorized download of submission

– Prevent scripts in dashboard field labels; responsibly reported by Sayandeep Dutta

– Prevent front-facing label scripts; responsibly reported by Jonathon Zamora &

– Prevent excess extra data through automated form submission

– Prevent override access where not permitted”

Ninja Forms is used on more than 800,000 WordPress sites. The majority of the plugin’s users are on version 3.6.x (73.6%), but doesn’t offer a more detailed breakdown of minor versions, so it’s not clear how many are still vulnerable. Ninja Forms users are recommended to patch their sites immediately. At this time, the vulnerabilities are not known to have been exploited.

Why Should You Update?

Keeping your website secure is crucial to protect your data and your users’ information. Security vulnerabilities can be exploited by hackers to gain unauthorized access, inject malicious code, or steal sensitive data. By updating your Ninja Forms plugin to the latest version, you ensure that these high severity security vulnerabilities are patched, reducing the risk of a potential breach.

The POST-based reflected XSS vulnerability is particularly concerning as it allows an attacker to inject malicious code into a website, which can then be executed when a user interacts with the compromised page. This can lead to various attacks, including stealing sensitive information or taking control of the website.

The broken access control vulnerability is also significant as it allows users with Subscriber and Contributor roles to export all Ninja Forms submissions on a WordPress site. This could potentially expose sensitive user data and compromise the privacy of your users.

How to Update Ninja Forms Plugin

To update your Ninja Forms plugin and apply the necessary security patches, follow these steps:

1. Log in to your WordPress admin dashboard.

2. Go to the “Plugins” section.

3. Locate the Ninja Forms plugin and check if an update is available.

4. If an update is available, click on the “Update Now” button.

5. Wait for the update to complete.

6. Once the update is finished, verify that you are running the latest version (3.6.26 or higher).

It’s important to regularly check for plugin updates and apply them promptly to ensure your website’s security. Enabling automatic updates for plugins can also help streamline this process and ensure that you are always running the latest, most secure versions.


Security vulnerabilities in plugins can pose a significant risk to your website’s security and the privacy of your users. The recent high severity vulnerabilities discovered in the Ninja Forms plugin highlight the importance of keeping your plugins up to date.

If you use Ninja Forms on your WordPress site, make sure to update to version 3.6.26 or higher to patch these vulnerabilities. By doing so, you protect your website from potential attacks and ensure the safety of your data and your users’ information.

Remember, proactive measures like regular updates and security patches are essential to maintaining a secure website. Stay vigilant and prioritize the security of your WordPress site to safeguard against potential threats.

Stay in Touch


Related Articles