PatchSiren cyber security CVE debrief
CVE-2026-15161 SaturdayDrive CVE debrief
The Ninja Forms - Excel Export plugin for WordPress has a Stored Cross-Site Scripting vulnerability in versions up to and including 3.3.6. Authenticated attackers with subscriber-level access can inject web scripts. This vulnerability exists due to the save_filter() AJAX handler storing raw $_POST['filter'] array into a WordPress option without capability checks or input sanitization. The get_filter_row() method then directly injects these filter values into HTML attributes without proper escaping. Users of WordPress with the Ninja Forms - Excel Export plugin installed, especially those allowing subscriber-level access, should be aware of this vulnerability and take necessary precautions.
- Vendor
- SaturdayDrive
- Product
- Ninja Forms - Excel Export
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of WordPress with the Ninja Forms - Excel Export plugin installed, especially those allowing subscriber-level access, should be aware of this vulnerability and take necessary precautions. This includes updating the plugin to a version beyond 3.3.6, restricting access to the Excel Export feature to trusted users only, and implementing Content Security Policy (CSP) to mitigate XSS attacks.
Technical summary
The vulnerability exists due to the save_filter() AJAX handler storing raw $_POST['filter'] array into a WordPress option without capability checks or input sanitization. The get_filter_row() method then directly injects these filter values into HTML attributes without proper escaping. This allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The CVSS score of 6.4 and MEDIUM severity indicate a moderate level of risk.
Defensive priority
Medium priority due to the CVSS score of 6.4 and the potential for authenticated attackers to inject scripts.
Recommended defensive actions
- Update the Ninja Forms - Excel Export plugin to a version beyond 3.3.6.
- Restrict access to the Excel Export feature to trusted users only.
- Implement Content Security Policy (CSP) to mitigate XSS attacks.
- Regularly monitor plugin and WordPress core updates.
- Consider using a Web Application Firewall (WAF) to detect and prevent XSS attacks.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
Evidence is based on the CVE and NVD records, as well as references from Wordfence. However, details about the vendor, product, and affected versions are limited. The vulnerability has a CVSS score of 6.4 and is classified as MEDIUM severity. The plugin's save_filter() AJAX handler stores raw $_POST['filter'] array into a WordPress option without capability checks or input sanitization. The get_filter_row() method then directly injects these filter values into HTML attributes without proper escaping, allowing authenticated attackers with subscriber-level access to inject web scripts.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T05:16:38.087Z and has not been modified since then.