cleantalk
Vulnerabilities and Security Researches

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress, CVE-2025-10498

CVE, Research URL

CVE-2025-10498

Home page URL

Security reports for Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress

Application

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress

Published on
Sep 27, 2025
Research Description
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation when exporting CSV files. This makes it possible for unauthenticated attackers to delete those files granted they can trick an administrator into performing an action such as clicking on a link.
Affected versions
Min -, max 3.12.1.
Status
vulnerable
Previous vulnerability researches
Ninja Forms Google Sheet Connector (48c876c4c37ae47cdbba572acd132e945788cdbd) , Jun 07, 2024
Ninja Forms Google Sheet Connector (CVE-2023-2333) , Jun 07, 2024
Popup addon for Ninja Forms (CVE-2025-53279) , Jul 02, 2025
Styler for Ninja Forms (CVE-2024-10717) , Nov 14, 2024
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress (CVE-2024-43999) , Sep 01, 2024
New vulnerability
Genealogical Tree – WordPress Family Tree (CVE-2025-58023) , Oct 12, 2025
WPB Quick View Popup for WooCommerce – Display Product Informations in Popup on Button Click (CVE-2025-57967) , Oct 12, 2025
Mixtape (CVE-2025-9860) , Oct 12, 2025
Advanced Settings (CVE-2025-58996) , Oct 12, 2025
FancyTabs (CVE-2025-8560) , Oct 12, 2025