‘Ninja Forms’ Pushed a Very Important Update Affecting 1 Million Sites

• The ‘Ninja Forms’ plugin for WordPress sites was found to be vulnerable to exploitation.
• The two flaws that were identified concern unprivileged information exfiltration and email injection.
• The vulnerabilities remained exploitable for at least a full month, but a fixing patch is out now.

One of the most popular and widely used WordPress plugins, ‘Ninja Forms,’ has released version 3.5.8, which fixes two vulnerabilities that affected over a million sites. The flaws could make it possible for an attacker to export sensitive information from a vulnerable site, as well as send arbitrary emails to unsuspecting users with the goal of phishing or scamming them. The discovery and detailed report come from the Wordfence Threat Intelligence team, who alerted the vendor immediately on August 3, 2021.

The patch was released on September 7, 2021, so the flaw remained available for exploitation for at least a full month. Also, it is natural that not all websites that use ‘Ninja Forms’ have updated to 3.5.8 or later by now, so those who have not applied the update yet are advised to do it immediately.

‘Ninja Forms’ is a drag-and-drop forms builder which people can use to create sleek-looking contact forms, signup forms, lead generation forms, payment pages, and more. Because of its high-quality results, ease of use, and versatility in covering a wide range of needs, this plugin is used by many WordPress sites out there.

The two vulnerabilities identified by Wordfence researchers are CVE-2021-34647 and CVE-2021-34648. The first one concerns unprotected REST-API issues leading to sensitive information disclosure, and the second one stems from the same source and leads to email injection. Both carry a severity score of 6.5 according to CVSS v3, so they are categorized as “medium.”

The problem appears to be the “permissions_callback” validation in the plugin, which is implemented as a security measure in the form of data export and the bulk email delivery functions. The feature validated if a user is logged in or not but didn’t check if the user who performs the data export or the bulk email actions has administrator rights. This essentially allowed any logged-in user, even those standing at the bottom of the permissions scale, to download information that other users of the site entered in forms or send them email messages that appeared to come from the site’s domain.

Someone could exploit the above vulnerabilities to create a very effective phishing campaign, and doing that wouldn’t be complicated at all. Whether or not anyone has exploited the ‘Ninja Forms’ flaws remains unknown at this point. However, it is a perfect reminder why you shouldn’t blindly trust any website with your sensitive information.