The renowned WordPress form plugin, Ninja Forms, has been identified to have three vulnerabilities that might grant unauthorized privileges to malicious users and enable them to extract personal data.
On June 22, 2023, researchers at patch stack made a significant discovery, uncovering three vulnerabilities within the code of the Saturday Drive plugin, which directly impact NinjaForms versions 3.6.25 and earlier.
In response to these findings, the developers promptly released version 3.6.26 on July 4, 2023, which addressed the identified vulnerabilities and provided necessary fixes.
Despite the availability of the updated version, current statistics from WordPress.org indicate that merely half of WordPress Ninja Forms users have taken action to download the latest release, leaving approximately 400,000 sites still exposed and vulnerable to potential attacks.
The Patchstack team uncovered three vulnerabilities in the plugin:
- CVE-2023-37979: This vulnerability is related to XSS (cross-site scripting) through a POST reflex. Unauthenticated users can exploit this flaw to trick privileged users into accessing a specially crafted web page, granting them unauthorized access to information.
- CVE-2023-38393: The second vulnerability pertains to access control problems in the plugin’s export form submissions feature. Subscribers and Contributors can utilize this flaw to retrieve all data that users have submitted to the affected WordPress site.
- CVE-2023-38386: The third vulnerability also deals with access control issues in the plugin’s export form submissions feature. It enables Subscribers and Contributors to access all data submitted by users on the affected WordPress site.
In version 3.6.26, the vendor implemented essential patches, which involved the addition of permission checks to rectify access control issues. Additionally, they incorporated feature access restrictions to mitigate the risk of known XSS attacks effectively.
Patchstack provides comprehensive technical information on the three vulnerabilities, making it less impactful for knowledgeable threat actors to exploit them.
However, it is strongly advised that all webmasters using the Ninja Forms plugin promptly update to version 3.6.26 or a later release. If updating immediately is not feasible, they should disable the plugin on their sites until they can apply the necessary update.
WordPress is a widely used content management system (CMS) known for its flexibility and intelligence in website creation and management.
Being open source, WordPress attracts the attention of malicious users, making security a crucial concern.
To maintain website security, every WordPress website administrator should stay informed about the latest security threats and consistently apply updates and fixes.