๐Ÿ” CVE Alert

CVE-2026-12557

MEDIUM 5.3

Ninja Forms - File Uploads <= 3.3.29 - Missing Authorization to Unauthenticated Log Disclosure and Deletion via debug-log/delete-all and debug-log/get-all REST Endpoints

CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.3.29. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read all plugin debug log entries stored in the wp_nf3_log table or permanently delete all rows from that table.

CWE CWE-862
Vendor saturdaydrive
Product ninja forms - file uploads
Published Jul 3, 2026
Stay Ahead of the Next One

Get instant alerts for saturdaydrive ninja forms - file uploads

Be the first to know when new medium vulnerabilities affecting saturdaydrive ninja forms - file uploads are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

SaturdayDrive / Ninja Forms - File Uploads
0 โ‰ค 3.3.29

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/1a54f8cc-cadb-4496-bcc4-ef8387b72300?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/ninja-forms-uploads/trunk/includes/Common/Routes/DebugLog.php#L88

Credits

Ad4m5