CVE-2025-11924
中文标题:
(暂无数据)
英文标题:
Ninja Forms – The Contact Form Builder That Grows With You <= 3.13.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token
漏洞描述
中文描述:
(暂无数据)
英文描述:
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the `ninja-forms-views` REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| kstover | Ninja Forms – The Contact Form Builder That Grows With You | - | ≤ 3.13.2 | - |
cpe:2.3:a:kstover:ninja_forms_–_the_contact_form_builder_that_grows_with_you:*:*:*:*:*:*:*:*
|
| ninjaforms | ninja_forms | * | - | - |
cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-11924 |
2025-12-19 03:24:27 | 2026-01-12 02:10:30 |
| NVD | nvd_CVE-2025-11924 |
2026-01-06 03:00:08 | 2026-01-12 02:27:23 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 1 -> 2
- data_sources: ['cve'] -> ['cve', 'nvd']