CVE-2026-12557
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.3.29. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read all plugin debug log entries stored in the wp_nf3_log table or permanently delete all rows from that table.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SaturdayDrive | Ninja Forms - File Uploads | 0 <= 3.3.29 | affected |
Weaknesses
- CWE-862: CWE-862 Missing Authorization
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1a54f8cc-cadb-4496-bcc4-ef8387b72300?source=cve
- https://plugins.trac.wordpress.org/browser/ninja-forms-uploads/trunk/includes/Common/Routes/DebugLog.php#L88
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.