Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024
  • Security & Privacy News

    WordPress Ninja Forms plugin flaw lets hackers steal submitted data

    Karlston

    By Karlston,
    Published Date:

    • 322 views
    • 2 minutes
     Share
    • 322 views
    • 2 minutes

    Popular WordPress form-building plugin Ninja Forms contains three vulnerabilities that could allow attackers to achieve privilege escalation and steal user data.

     

    Researchers at Patchstack discovered and disclosed the three vulnerabilities to the plugin's developer, Saturday Drive, on June 22nd, 2023, warning that it affects NinjaForms versions 3.6.25 and older.

     

    The developers released version 3.6.26 on July 4th, 2023, to fix the vulnerabilities. However, WordPress.org stats show that only roughly half of all NinjaForms users have downloaded the latest release, leaving about 400,000 sites vulnerable to attacks.

    The vulnerabilities

    The first vulnerability discovered by Patchstack is 2CVE-2023-37979, a POST-based reflected XSS (cross-site scripting) flaw that allows unauthenticated users to escalate their privileges and steal information by tricking privileged users into visiting a specially-crafted webpage.

     

    The second and third problems, tracked as CVE-2023-38393 and CVE-2023-38386, respectively, are broken access control issues on the plugin's form submissions export feature, allowing Subscribers and Contributors to export all of the data that users have submitted on the impacted WordPress site.

     

    Although the issues are rated as high-severity, the CVE-2023-38393 is particularly dangerous because a required Subscriber role user is easy to meet.

     

    Any site that supports membership and user registrations would be susceptible to massive data breach incidents due to that flaw if they use a vulnerable Ninja Forms plugin version.

     

    function(1).jpg

    The processing function that contains CVE-2023-38393(Patchstack)

     

    The patches applied by the vendor in version 3.6.26 include adding permission checks for the broken access control issues and function access restrictions that prevent triggering the identified XSS.

     

    Publicly reporting the above flaws was delayed by over three weeks to prevent drawing the attention of hackers to the flaws while allowing Ninja Form users to patch. However, there's still a significant number who haven't at this time.

     

    Patchstack's coverage contains detailed technical information about the three flaws, so exploiting them should be trivial for knowledgeable threat actors.

     

    That said, all website admins who use the Ninja Forms plugin are recommended to update to version 3.6.26 or later as soon as possible. If that is not possible, admins should disable the plugin from their sites until they can apply the patch.

     

    Source

     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...