PatchSiren cyber security CVE debrief
CVE-2026-15160 SaturdayDrive CVE debrief
The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_tmp_name' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to write .xls/.xlsx files to arbitrary locations on the server, which can be used to stage further attacks.
- Vendor
- SaturdayDrive
- Product
- Ninja Forms - Excel Export
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of the Ninja Forms - Excel Export plugin for WordPress should be aware of this vulnerability and take steps to mitigate it, especially if they have subscriber-level access or higher.
Technical summary
The vulnerability exists in the Ninja Forms - Excel Export plugin for WordPress, specifically in versions up to and including 3.3.6. The issue arises from the 'spreadsheet_export_tmp_name' parameter, which allows authenticated attackers with subscriber-level access or higher to perform directory traversal attacks. This can lead to writing .xls/.xlsx files to arbitrary locations on the server, potentially used for further malicious activities.
Defensive priority
Medium priority due to the CVSS score of 4.3 and the potential for staging further attacks.
Recommended defensive actions
- Update the Ninja Forms - Excel Export plugin to a version that fixes the directory traversal vulnerability.
- Restrict access to the plugin's functionality to prevent exploitation by authenticated attackers.
- Monitor server logs for suspicious file writes or modifications.
- Implement additional security measures such as file upload validation and filtering.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-17T04:16:50.700Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The vulnerability details are based on information provided by [email protected].
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T04:16:50.700Z and has not been modified since then. The NVD entry is currently in the 'Received' status.