PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15160 SaturdayDrive CVE debrief

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_tmp_name' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to write .xls/.xlsx files to arbitrary locations on the server, which can be used to stage further attacks.

Vendor
SaturdayDrive
Product
Ninja Forms - Excel Export
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of the Ninja Forms - Excel Export plugin for WordPress should be aware of this vulnerability and take steps to mitigate it, especially if they have subscriber-level access or higher.

Technical summary

The vulnerability exists in the Ninja Forms - Excel Export plugin for WordPress, specifically in versions up to and including 3.3.6. The issue arises from the 'spreadsheet_export_tmp_name' parameter, which allows authenticated attackers with subscriber-level access or higher to perform directory traversal attacks. This can lead to writing .xls/.xlsx files to arbitrary locations on the server, potentially used for further malicious activities.

Defensive priority

Medium priority due to the CVSS score of 4.3 and the potential for staging further attacks.

Recommended defensive actions

  • Update the Ninja Forms - Excel Export plugin to a version that fixes the directory traversal vulnerability.
  • Restrict access to the plugin's functionality to prevent exploitation by authenticated attackers.
  • Monitor server logs for suspicious file writes or modifications.
  • Implement additional security measures such as file upload validation and filtering.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-17T04:16:50.700Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The vulnerability details are based on information provided by [email protected].

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T04:16:50.700Z and has not been modified since then. The NVD entry is currently in the 'Received' status.