Unrated severityNVD Advisory· Published Sep 27, 2025· Updated Apr 8, 2026

Ninja Forms – The Contact Form Builder That Grows With You <= 3.12.0 - Cross-Site Request Forgery to Limited File Deletion

CVE-2025-10498

Description

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation when exporting CSV files. This makes it possible for unauthenticated attackers to delete those files granted they can trick an administrator into performing an action such as clicking on a link.

Affected products

Ninjaforms/Ninja Formsllm-fuzzy
Range: <=3.12.0
kstover/Ninja Forms – The Contact Form Builder That Grows With Youv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/ninja-forms/trunk/includes/Admin/Menus/Submissions.phpmitre
plugins.trac.wordpress.org/changeset/3365881/ninja-forms/trunkmitre
www.wordfence.com/threat-intel/vulnerabilities/id/b082176c-9486-416c-8215-cdba4d6e5260mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000