Ninja Forms for WordPress: Multiple high-level security vulnerabilities

Critical vulnerability in WordPress plugin

Written by Editorial

For more than 15 years, we have supported our customers in all digital challenges and contributed significantly to their success.

31 July 2023

There is important news for WordPress website owners who use Ninja Forms plug-in. In this article we will discuss the latest developments around the security of this popular plug-in and inform you about the necessary measures you should take to protect your website.

Three vulnerabilities were recently discovered in the widely used Ninja Forms plug-in for WordPress. These vulnerabilities could allow attackers to access protected data that they would normally not be able to reach. Fortunately, the developers reacted quickly and made a secured version of the plug-in available.

The security vulnerabilities in detail

The three identified vulnerabilities pose a serious threat to websites that use the Ninja Forms plug-in. If attackers successfully exploit one of these vulnerabilities, they could access information that is actually protected via a so-called XSS attack. This is due to insufficient checks that allow attackers to manipulate website requests and place a payload with malicious code. It is important to note that the XSS vulnerability is not persistent.

In addition to this vulnerability, there is the possibility that unauthorized persons can access form submissions due to a faulty access control. The threat levels of these two vulnerabilities have not yet been officially classified.

The solution: The patch

The developers of the Ninja Forms plug-in have reacted quickly to the discovery of these vulnerabilities. They have stated that the security issues have been fixed in the 3.6.26 version of the plug-in. It is strongly recommended that all users of the plug-in update to this version as soon as possible to protect their websites.

About the Ninja Forms plug-in

Ninja Forms plug-in is a popular tool for WordPress website administrators. It allows you to create forms for website visitors and currently has over 800,000 active installations. It is known as one of the most popular form creation plug-ins in WordPress and is developed by Saturday Drive.

This plugin is a free form builder for WordPress that allows us to create almost any type of form we can imagine. It ranges from simple contact forms to event registrations, file uploads, payments and more.

Timeline of events

On June 22, 2023, the vulnerabilities were discovered and the plug-in provider was informed. On July 4, 2023, Ninja Forms version 3.6.26 was released to fix the reported issue. On July 25, 2023, the vulnerabilities were incorporated into the Patchstack vulnerability database recorded.

The vulnerability is thus publicly known and a patch is available. If you use Ninja Forms on your WordPress website, you should urgently check whether a corresponding patch is installed.


In today's digital world, it is essential to stay up-to-date with the latest security developments. The discovery of these vulnerabilities in Ninja Forms Plug-in highlights the need to always use the latest versions of plugins and other software tools. By updating to the latest version of Ninja Forms Plug-in, you can ensure that your website is protected against these specific threats.

Our agency offers WordPress Maintenance Services and security monitoring for WordPress. If you do not want to carry the permanent monitoring of WordPress or your plug-ins yourself, leave this work to us. Learn more about our WordPress maintenance services here.

Recommended posts

Looking for a reliable and competent marketing & WordPress agency?

Let's tackle your project together!

Bajorat Media has 4,9 from 5 Stars | 3055 Reviews on