Ninja Forms WordPress bug exposed over a million users to XSS attacks, website hijacking

The severe XSS vulnerability permitted site takeover and visitor browser redirection to malicious websites.
Written by Charlie Osborne, Contributing Writer

The Ninja Forms WordPress plugin harbored a severe security flaw that could be used for website takeover through the creation of new administrator accounts. 

Ninja Forms is a drag-and-drop contact form creator for websites running on the WordPress Content Management System (CMS). The plugin accounts for over one million active installations. 

The Wordfence Threat Intelligence team publicly disclosed the vulnerability in the plugin on April 29, just two days after the initial discovery. 

According to cybersecurity researcher Ramuel Gall, the high-severity bug, issued a CVSS score of 8.8, is a Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS) vulnerability in the Ninja Forms "legacy" mode system. 

See also: Critical vulnerabilities in WordPress plugins lead to e-learning platform hijacking

The legacy mode allows users to select styling and features based on an older version of the plugin, version 2.9. Ajax forms are in place which facilitate the transfer of forms and fields between legacy mode options and default modes, however, two of the functions failed to validate requests properly and one of the functions -- ninja_forms_ajax_import_form -- also allowed the import of custom HTML.

If an attacker was able to dupe an admin account holder into clicking a crafted, malicious link, they could spoof an admin session and import a malicious contact form to replace existing, legitimate scripts. Depending on where malicious JavaScript code lands, it could also be executed in a victim's browser whenever they visited a page containing the form, or when an admin attempted to edit form fields. 

"As is typical with XSS attacks, a malicious script executed in an administrator's browser could be used to add new administrative accounts, leading to complete site takeover, while a malicious script executed in a visitor's browser could be used to redirect that visitor to a malicious site," the researchers said. 

CNET: Google cracks down on spammy Chrome extensions with new policy updates

The CSRF to XSS security flaw was reported to Ninja Forms on the day of discovery. Several hours later, the plugin developer informed the Wordfence team a fix was in the works. 

On April 28, the security patch was released as Ninja Forms version Users of the plugin should make sure they are running the latest version of the plugin to stay protected. 

TechRepublic: How to check for weak passwords on your Linux systems with John the Ripper

Back in March, Ninja Forms patched an HTML injection vulnerability in the plugin's merge tag system. 

In related news this week, GitLab awarded a researcher $20,000 for privately disclosing a severe path traversal bug on the platform that could be used to trigger remote code execution attacks. 

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards