CVE Catalog

CVE-2026-12557

MediumCVSS 5.3
Published: Translated: NVD NIST

Summary

The Ninja Forms - File Uploads plugin for WordPress up to version 3.3.29 inclusive contains an authorization bypass vulnerability. Unauthenticated attackers can read all debug log entries stored in the wp_nf3_log table or permanently delete all rows from that table.

Risk Assessment

The risk involves potential leakage of sensitive information from the debug log and complete data loss from that table, which may disrupt plugin functionality and expose technical environment details.

Recommendation

Immediately update the Ninja Forms - File Uploads plugin to the latest available version that fixes this vulnerability.

Original NVD description (English source)

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.3.29. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read all plugin debug log entries stored in the wp_nf3_log table or permanently delete all rows from that table.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS