The developers behind the Ninja Forms WordPress plugin have addressed a Cross-Site Request Forgery (CSRF) vulnerability that could lead to Stored Cross-Site Scripting (Stored XSS) attacks.
Ninja Forms is a drag and drop form builder plugin for WordPress builder that allows users to easily create complex forms within just a few minutes.
The WordPress plugin has currently more than 1 million installs, the flaw affects all Ninja Forms versions up to 126.96.36.199.
The issue, rated as a high severity security flaw (CVSS score of 8.8), could be exploited by attackers to inject malicious code and take over websites.
Experts from Wordfence explained that hackers could abuse the plugin’s functionality to replace all existing forms on a targeted website with a malicious one.
The Ninja Forms plugin includes a “legacy” mode which allows users to revert its styling and features to those of the plugin’s final 2.9.x version. It leverages multiple AJAX functions that import forms and fields between the “legacy” mode and the default mode. Experts noticed that two of these functions failed to check nonces, this means that they don’t verify the identity of the user that sent a request.
Experts explained that the issue allows hackers to carry out a Cross-Site Scripting (XSS) attack, a malicious script executed in an Administrator’s browser could be used to add new administrative accounts, while a malicious script executed in a visitor’s browser could be used to redirect that visitor to a malicious site.
Below the timeline of the issue:
At the time of writing, over 800,000 WordPress sites are still using vulnerable versions of the plugin.
A few days ago, WordFence also disclosed another issue affecting the Real-Time Find and Replace WordPress plugin.
Unfortunately, the number of attacks attempting to exploit vulnerabilities in WordPress plugins continues to increase.
A few weeks ago researchers at NinTechNet reported an ongoing campaign that was actively exploiting a zero-day flaw in the WordPress Flexible Checkout Fields for WooCommerce plugin. Other attacks recently observed are:
I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.
Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – Ninja Forms, hacking)