ByteOS Network

Vulnerability Details :

CVE-2023-38393

Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3

Published At-19 Jun, 2024 | 14:15

Updated At-02 Aug, 2024 | 17:39

WordPress Ninja Forms plugin <= 3.6.25 - Subscriber+ Broken Access Control vulnerability

Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:Patchstack

Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3

Published At:19 Jun, 2024 | 14:15

Updated At:02 Aug, 2024 | 17:39

▼CVE Numbering Authority (CNA)

WordPress Ninja Forms plugin <= 3.6.25 - Subscriber+ Broken Access Control vulnerability

Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25.

Affected Products

Vendor

Saturday Drive, INC

Product

Ninja Forms

Collection URL

https://wordpress.org/plugins

Package Name

ninja-forms

Default Status

unaffected

Versions

Affected

From n/a through 3.6.25 (custom)
- -> unaffectedfrom3.6.26

Problem Types

Type	CWE ID	Description
CWE	CWE-862	CWE-862 Missing Authorization

Type: CWE

CWE ID: CWE-862

Description: CWE-862 Missing Authorization

Metrics

Version	Base score	Base severity	Vector
3.1	7.6	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Version: 3.1

Base score: 7.6

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Solutions

Update to 3.6.26 or a higher version.

Credits

finder

Rafie Muhammad (Patchstack)

References

Hyperlink	Resource
https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-subscriber-broken-access-control-vulnerability?_s_id=cve	vdb-entry

Hyperlink: https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-subscriber-broken-access-control-vulnerability?_s_id=cve

Resource:

vdb-entry

▼Authorized Data Publishers (ADP)

1. CISA ADP Vulnrichment

Affected Products

Vendor

Saturday Drive, INC

Product

ninja_forms

CPEs

cpe:2.3:a:ninjaforma:ninja_forms:*:*:*:*:*:wordpress:*:*

Default Status

unknown

Versions

Affected

From 0 through 3.6.25 (custom)

Metrics Other Info

2. CVE Program Container

References

Hyperlink	Resource
https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-subscriber-broken-access-control-vulnerability?_s_id=cve	vdb-entry x_transferred

Hyperlink: https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-subscriber-broken-access-control-vulnerability?_s_id=cve

Resource:

vdb-entry

x_transferred

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:audit@patchstack.com

Published At:19 Jun, 2024 | 15:15

Updated At:20 Jun, 2024 | 12:43

Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	7.6	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Type: Secondary

Version: 3.1

Base score: 7.6

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Weaknesses

CWE ID	Type	Source
CWE-862	Primary	audit@patchstack.com

CWE ID: CWE-862

Type: Primary

Source: audit@patchstack.com

References

Hyperlink	Source	Resource
https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-subscriber-broken-access-control-vulnerability?_s_id=cve	audit@patchstack.com	N/A

Hyperlink: https://patchstack.com/database/vulnerability/ninja-forms/wordpress-ninja-forms-plugin-3-6-25-subscriber-broken-access-control-vulnerability?_s_id=cve

Source: audit@patchstack.com

Resource: N/A

Similar CVEs

10Records found

CVE-2023-38386

Matching Score-10

Assigner-Patchstack

View Details

Matching Score-10

Assigner-Patchstack

CVSS Score-7.6||HIGH

EPSS-0.23% / 45.07%

7 Day CHG~0.00%

Published-19 Jun, 2024 | 13:06

Updated-07 Apr, 2025 | 17:55

WordPress Ninja Forms plugin <= 3.6.25 - Contributor+ Broken Access Control vulnerability

Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25.

Vendor-Saturday Drive, INC

Product-ninja_forms Ninja Forms

CWE ID-CWE-862

Missing Authorization

CVE-2021-34648

Matching Score-6

Assigner-Wordfence

View Details

Matching Score-6

Assigner-Wordfence

CVSS Score-6.4||MEDIUM

EPSS-0.22% / 44.20%

7 Day CHG+0.06%

Published-22 Sep, 2021 | 17:53

Updated-31 Mar, 2025 | 18:20

Ninja Forms <= 3.5.7 Unprotected REST-API to Email Injection

The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /ninja-forms-submissions/email-action REST API which can be used to socially engineer victims.

Vendor-Saturday Drive, INC

Product-ninja_forms Ninja Forms

CWE ID-CWE-863

Incorrect Authorization

CWE ID-CWE-862

Missing Authorization

CVE-2021-34647

Matching Score-6

Assigner-Wordfence

View Details

Matching Score-6

Assigner-Wordfence

CVSS Score-6.5||MEDIUM

EPSS-0.72% / 72.02%

7 Day CHG+0.19%

Published-22 Sep, 2021 | 17:53

Updated-31 Mar, 2025 | 18:12

Ninja Forms <= 3.5.7 Sensitive Information Disclosure

The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the /ninja-forms-submissions/export REST API which can include personally identifiable information.

Vendor-Saturday Drive, INC

Product-ninja_forms Ninja Forms

CWE ID-CWE-863

Incorrect Authorization

CWE ID-CWE-862

Missing Authorization

CVE-2025-7782

Matching Score-4

Assigner-Wordfence

View Details

Matching Score-4

Assigner-Wordfence

CVSS Score-7.6||HIGH

EPSS-0.05% / 15.11%

7 Day CHG~0.00%

Published-20 Dec, 2025 | 13:47

Updated-23 Dec, 2025 | 14:51

WP JobHunt <= 7.7 - Missing Authorization to Authenticated (Candidate+) Stored Cross-Site Scripting via 'status'

The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user.

Vendor-n/a

Product-WP JobHunt

CWE ID-CWE-862

Missing Authorization

CVE-2025-68058

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.6||HIGH

EPSS-0.04% / 12.77%

7 Day CHG~0.00%

Published-22 Jan, 2026 | 16:52

Updated-28 Jan, 2026 | 17:16

WordPress Institutions Directory plugin <= 1.3..4 - Broken Access Control vulnerability

Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Institutions Directory: from n/a through <= 1.3..4.

Vendor-e-plugins

Product-Institutions Directory

CWE ID-CWE-862

Missing Authorization

CVE-2025-68057

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.6||HIGH

EPSS-0.04% / 12.77%

7 Day CHG~0.00%

Published-22 Jan, 2026 | 16:52

Updated-28 Jan, 2026 | 17:16

WordPress Hospital Doctor Directory plugin <= 1.3.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9.

Vendor-e-plugins

Product-Hospital Doctor Directory

CWE ID-CWE-862

Missing Authorization

CVE-2025-58938

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.6||HIGH

EPSS-0.05% / 15.11%

7 Day CHG~0.00%

Published-18 Dec, 2025 | 07:21

Updated-27 Jan, 2026 | 15:03

WordPress IDonatePro plugin <= 2.1.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in ThemeAtelier IDonatePro idonate-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IDonatePro: from n/a through <= 2.1.9.

Vendor-ThemeAtelier

Product-IDonatePro

CWE ID-CWE-862

Missing Authorization

CVE-2025-69311

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.6||HIGH

EPSS-0.04% / 12.77%

7 Day CHG~0.00%

Published-22 Jan, 2026 | 16:52

Updated-27 Jan, 2026 | 19:16

WordPress Broadstreet Ads plugin <= 1.52.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a through <= 1.52.1.

Vendor-Broadstreet

Product-Broadstreet Ads

CWE ID-CWE-862

Missing Authorization

CVE-2025-68059

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.6||HIGH

EPSS-0.04% / 12.77%

7 Day CHG~0.00%

Published-22 Jan, 2026 | 16:52

Updated-28 Jan, 2026 | 17:16

WordPress Hotel Listing plugin <= 1.4.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Listing: from n/a through <= 1.4.2.

Vendor-e-plugins

Product-Hotel Listing

CWE ID-CWE-862

Missing Authorization

CVE-2023-36516

Matching Score-4

Assigner-Patchstack

View Details

Matching Score-4

Assigner-Patchstack

CVSS Score-7.6||HIGH

EPSS-0.45% / 62.97%

7 Day CHG~0.00%

Published-19 Jun, 2024 | 14:18

Updated-02 Aug, 2024 | 16:45

WordPress LearnPress plugin <= 4.2.3 - Authenticated Broken Access Control vulnerability

Missing Authorization vulnerability in ThimPress LearnPress.This issue affects LearnPress: from n/a through 4.2.3.

Vendor-ThimPress (PhysCode)

Product-LearnPress learnpress

CWE ID-CWE-862

Missing Authorization

CVE-2023-38393

Credits

WordPress Ninja Forms plugin <= 3.6.25 - Subscriber+ Broken Access Control vulnerability

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Affected

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs