CVE-2026-15160 - Ninja Forms - Excel Export <= 3.3.6 - Missing Authorization to Authenticated (Subscriber+) XLS Write via Path Traversal
CVE ID :CVE-2026-15160
Published : July 17, 2026, 4:16 a.m. | 31 minutes ago
Description :The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_tmp_name' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to write .xls/.xlsx files to arbitrary locations on the server, which can be used to stage further attacks.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : July 17, 2026, 4:16 a.m. | 31 minutes ago
Description :The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_tmp_name' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to write .xls/.xlsx files to arbitrary locations on the server, which can be used to stage further attacks.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...