Four new security vulnerabilities in the Ninja Forms WordPress plugins were just reported. The Ninja Forms plugin enables users to create forms using drag and drop capabilities with ease, and it’s quite popular in the WordPress repository, as it is used by one million sites.
Affecting more than one million WordPress websites, the flaws could cause various malicious outcomes, such as redirection to arbitrary locations, intercepting all mail traffic, retrieving an authentication key, and disconnecting this key to trick a site admin to perform an action. Long story short, the vulnerabilities could be deployed in attacks aiming to take over WordPress sites and redirect their owners to malicious ones.
Ninja Forms WP Plugin Vulnerabilities
The first vulnerability is rated critical and is known as “Authenticated SendWP Plugin Installation and Client Secret Key Disclosure.” The bug stems from the plugin’s ability to install add-ons that could offer various services.
One of these services is SendWP, which is an email delivery and logging service intended to make mail handling with WordPress simpler. From the Ninja Form plugin’s Addon dashboard, it offers the ability to set up this service with just a few clicks. In order to provide this functionality, the plugin registers the AJAX action wp_ajax_ninja_forms_sendwp_remote_install,” Wordfence researchers explained.
It turns out that the AJAX action didn’t have nonce protection, enabling low-level users to install and activate the SendWP plugin and retrieve the client_secret key used to establish the SendWP connection.
Why is this a problem?
Since the client_secret key is returned with the AJAX request, attackers with low-level access to a vulnerable WordPress site could establish a SendWP connection with their own SendWP account. This would make sites with open-registration particularly vulnerable, the researchers warned.
That’s not all, however. In case attackers could discover the username for an account, they could also trigger a password reset for this account. The impact of these actions is remote code execution:
The password reset email with the password reset link would get logged in the attackers SendWP account, which they could then use to reset an administrator’s password and gain administrative access to a site. This could ultimately lead to remote code execution and site takeover by modifying theme/plugin files or uploading a malicious theme/plugin.
The other three vulnerabilities are not as severe as the as “Authenticated SendWP Plugin Installation and Client Secret Key Disclosure” issue. One of them is rated high, and the other two – medium. The good news is that all four flaws were completely fixed in version 220.127.116.11 of the Ninja Forms plugin. If you are a user of the plugin, you should immediately update to the latest version available, which currently is version 3.5.0.
If you want to stay informed about the latest security risks involving WordPress, keep an eye on HowToHosting.guide. We cover the most important news.
Useful WordPress Tips