The Ninja Forms WordPress plugin harbored a severe security flaw that could be used for website takeover through the creation of new administrator accounts.
Ninja Forms is a drag-and-drop contact form creator for websites running on the WordPress Content Management System (CMS). The plugin accounts for over one million active installations.
The Wordfence Threat Intelligence team publicly disclosed the vulnerability in the plugin on April 29, just two days after the initial discovery.
According to cybersecurity researcher Ramuel Gall, the high-severity bug, issued a CVSS score of 8.8, is a Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS) vulnerability in the Ninja Forms "legacy" mode system.
The legacy mode allows users to select styling and features based on an older version of the plugin, version 2.9. Ajax forms are in place which facilitate the transfer of forms and fields between legacy mode options and default modes, however, two of the functions failed to validate requests properly and one of the functions -- ninja_forms_ajax_import_form -- also allowed the import of custom HTML.
"As is typical with XSS attacks, a malicious script executed in an administrator's browser could be used to add new administrative accounts, leading to complete site takeover, while a malicious script executed in a visitor's browser could be used to redirect that visitor to a malicious site," the researchers said.
The CSRF to XSS security flaw was reported to Ninja Forms on the day of discovery. Several hours later, the plugin developer informed the Wordfence team a fix was in the works.
On April 28, the security patch was released as Ninja Forms version 18.104.22.168. Users of the plugin should make sure they are running the latest version of the plugin to stay protected.
Back in March, Ninja Forms patched an HTML injection vulnerability in the plugin's merge tag system.
In related news this week, GitLab awarded a researcher $20,000 for privately disclosing a severe path traversal bug on the platform that could be used to trigger remote code execution attacks.
Previous and related coverage
- 5G mast arson, coronavirus conspiracy theories force social media to walk a fine censorship line
- This new Android mobile malware targets banks, financial services across Europe
- GitLab awards researcher $20,000, patches remote code execution bug
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0