The development team oh the Ninja Forms WordPress plugin fixed a high severity security flaw that can let attackers take over websites. The developers
The development team oh the Ninja Forms WordPress plugin fixed a high severity security flaw that can let attackers take over websites.
The developers behind the Ninja Forms WordPress plugin have addressed a Cross-Site Request Forgery (CSRF) vulnerability that could lead to Stored Cross-Site Scripting (Stored XSS) attacks.
Ninja Forms is a drag and drop form builder plugin for WordPress builder that allows users to easily create complex forms within just a few minutes.
The WordPress plugin has currently more than 1 million installs, the flaw affects all Ninja Forms versions up to 18.104.22.168.
The issue, rated as a high severity security flaw (CVSS score of 8.8), could be exploited by attackers to inject malicious code and take over websites.
Experts from Wordfence explained that hackers could abuse the plugin’s functionality to replace all existing forms on a targeted website with a malicious one.
The Ninja Forms plugin includes a “legacy” mode which allows users to revert its styling and features to those of the plugin’s final 2.9.x version. It leverages multiple AJAX functions that import forms and fields between the “legacy” mode and the default mode. Experts noticed that two of these functions failed to check nonces, this means that they don’t verify the identity of the user that sent a request.
Experts explained that the issue allows hackers to carry out a Cross-Site Scripting (XSS) attack, a malicious script executed in an Administrator’s browser could be used to add new administrative accounts, while a malicious script executed in a visitor’s browser could be used to redirect that visitor to a malicious site.
Below the timeline of the issue:
- April 27, 2020 19:00 UTC – Our Threat Intelligence Team discovers and analyzes the vulnerability and verifies that our existing Firewall Rules provide sufficient protection against XSS.
- April 27, 2020 19:24 UTC – We provide full disclosure to the plugin’s developer as per their Responsible Security Disclosure Policy.
- April 27, 2020 20:27 UTC – We receive a response that a patch should be available the next day.
- April 28, 2020 19:00 UTC – Patched version of the plugin released.
At the time of writing, over 800,000 WordPress sites are still using vulnerable versions of the plugin.
A few days ago, WordFence also disclosed another issue affecting the Real-Time Find and Replace WordPress plugin.
Unfortunately, the number of attacks attempting to exploit vulnerabilities in WordPress plugins continues to increase.
A few weeks ago researchers at NinTechNet reported an ongoing campaign that was actively exploiting a zero-day flaw in the WordPress Flexible Checkout Fields for WooCommerce plugin. Other attacks recently observed are:
- Jan. 2020 – An authentication bypass vulnerability in the InfiniteWP plugin that could potentially impact by more than 300,000 sites.
- Jan. 2020 – Over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug in Code Snippets plugin.
- Feb. 2020 – A serious flaw in the ThemeGrill Demo Importer WordPress theme plugin with over 200,000 active installs can be exploited to wipe sites and gain admin access to the site.
- Feb. 2020 – A stored cross-site vulnerability in the GDPR Cookie Consent plugin that could potentially impact 700K users.
- Feb. 2020 – A zero-day vulnerability in the ThemeREX Addons was actively exploited by hackers in the wild to create user accounts with admin permissions.
- March 2020 – The WordPress plugin ‘ThemeREX Addons’ is affected by a critical vulnerability that could allow remote attackers to execute arbitrary code.
- March 2020 – A critical flaw in Rank Math WordPress plugin allows hackers to give users Admins privileges
I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.
Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – Ninja Forms, hacking)