Three Flaws in Ninja Forms Plugin Impacting 900K WordPress Sites

Three Flaws in Ninja Forms Plugin Impacting 900K WordPress Sites

Three Flaws in Ninja Forms Plugin Impacting 900K WordPress Sites

user icon Pierluigi Paganini
clock icon July 31, 2023

image 46

Experts warn of vulnerabilities affecting the Ninja Forms plugin for WordPress that could be used for privilege escalation and data theft.

The Ninja Forms plugin for WordPress is affected by multiple vulnerabilities (tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393) that can be exploited by threat actors to escalate privileges and steal sensitive data :

WordPress plugin Ninja Forms is the most popular form builder plugin with over 900,000 active installations.

WordPress plugin Ninja Forms
Three Flaws in Ninja Forms Plugin Impacting 900K WordPress Sites 6

Developers can use this app to create any type of form, including contact forms and payment forms.

The first vulnerability, tracked as CVE-2023-37979, is a POST-based reflected XSS that can be exploited by an unauthenticated user to steal sensitive information, in this case, for elevation of privilege on a WordPress site. An attacker can trigger the problem by tricking privileged users into visiting a crafted website.

The second and third vulnerabilities, tracked as CVE-2023-38393 and CVE-2023-38386, are access control violations in the export feature of form submissions. A user in the Subscriber and Contributor role can use the flaws to export all Ninja Forms submissions on a WordPress site.

The vulnerabilities were fixed with the release of version 3.6.26.

“In some cases, plugin or theme code needs to call a specific function or class from a user-supplied string. Always try to check and limit which function or class the user can call directly. Also, pay extra attention to the operation of the export data and always perform a permission or access control check for related functions.” says a post published by PatchStack.

Below we present the schedule of the above-mentioned problems.

  • June 22, 2023 We found the vulnerability and contacted the plugin vendor.
  • July 04, 2023 Ninja Forms version 3.6.26: released to patch the reported issue.
  • On July 25, 2023, vulnerabilities were added to the Patchstack vulnerability database.
  • A security advisory was published on July 27, 2023.

Follow me on Twitter. @securityaffairs Facebook and: mastodon

Pierluigi Paganini

(Security matters hacking attack, (Ninja Forms App)




READ  GoDaddy sponsors WordCamp Asia 2024, bringing together the WordPress community TradingView News

Leave a Reply

Your email address will not be published. Required fields are marked *