‘Ninja Forms’ Pushed a Very Important Update Affecting 1 Million Sites

  • The ‘Ninja Forms’ plugin for WordPress sites was found to be vulnerable to exploitation.
  • The two flaws that were identified concern unprivileged information exfiltration and email injection.
  • The vulnerabilities remained exploitable for at least a full month, but a fixing patch is out now.

One of the most popular and widely used WordPress plugins, ‘Ninja Forms,’ has released version 3.5.8, which fixes two vulnerabilities that affected over a million sites. The flaws could make it possible for an attacker to export sensitive information from a vulnerable site, as well as send arbitrary emails to unsuspecting users with the goal of phishing or scamming them. The discovery and detailed report come from the Wordfence Threat Intelligence team, who alerted the vendor immediately on August 3, 2021.

The patch was released on September 7, 2021, so the flaw remained available for exploitation for at least a full month. Also, it is natural that not all websites that use ‘Ninja Forms’ have updated to 3.5.8 or later by now, so those who have not applied the update yet are advised to do it immediately.

‘Ninja Forms’ is a drag-and-drop forms builder which people can use to create sleek-looking contact forms, signup forms, lead generation forms, payment pages, and more. Because of its high-quality results, ease of use, and versatility in covering a wide range of needs, this plugin is used by many WordPress sites out there.

The two vulnerabilities identified by Wordfence researchers are CVE-2021-34647 and CVE-2021-34648. The first one concerns unprotected REST-API issues leading to sensitive information disclosure, and the second one stems from the same source and leads to email injection. Both carry a severity score of 6.5 according to CVSS v3, so they are categorized as “medium.”

The problem appears to be the “permissions_callback” validation in the plugin, which is implemented as a security measure in the form of data export and the bulk email delivery functions. The feature validated if a user is logged in or not but didn’t check if the user who performs the data export or the bulk email actions has administrator rights. This essentially allowed any logged-in user, even those standing at the bottom of the permissions scale, to download information that other users of the site entered in forms or send them email messages that appeared to come from the site’s domain.

Someone could exploit the above vulnerabilities to create a very effective phishing campaign, and doing that wouldn’t be complicated at all. Whether or not anyone has exploited the ‘Ninja Forms’ flaws remains unknown at this point. However, it is a perfect reminder why you shouldn’t blindly trust any website with your sensitive information.

REVIEW OVERVIEW

Latest

How to Watch Moon Knight on Disney Plus: Release Date, Cast, Trailer, Plot

Marvel Studios' Moon Knight series launch date and trailer were announced recently, and everyone is super excited to see it. This is...

My Hero Academia Battle Royale Coming Soon – Check Out The Gameplay

Good news for anime and gaming fans across the world: My Hero Academia is about to get its own Battle Royale game!...

One Punch Man Chapter 157 Release Date, Time and Where to Read Online

One Punch Man Chapter 157 is about to release soon, and we've got all the information you need to catch up! One...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari