Wicked WordPress plugin vulnerabilities put over a million sites at risk



Two vulnerabilities in popular Ninja Forms WordPress plugin could have allowed malicious actors to export sensitive information and send Phishing emails from a vulnerable site, security researchers report.

In their breakdown vulnerability, cybersecurity researchers of Wordfence, which develops security solutions to protect WordPress installations, note that Ninja Forms boasts of an install base of over a million websites.

The researchers say the vulnerabilities existed because the popular form builder plugin relied on an insecure implementation of the mechanism that checks a user’s permissions.

The insecure implementation meant that instead of ensuring that a logged-in user had the correct permissions to trigger the associated action, the function only checked whether the user was actually logged in or not, and nothing else.

Who is it?

One of the issues, a bulk submission export vulnerability, could allow any logged-in user, regardless of their permission level, to export anything that had already been submitted to any of the site’s forms. .

The other issue allowed any user to send an email from a vulnerable WordPress website to any email address.

“This vulnerability could easily be used to create a phishing campaign that could trick unsuspecting users into taking unwanted actions by abusing trust in the domain that was used to send the email,” suggests Wordfence, adding that it could also be used to deceive the administrators of the website as well as to facilitate a campaign to take control of the site.

Wordfence responsibly disclosed the vulnerability to Ninja Forms on August 3, 2021, who immediately recognized it and released a patch earlier this month in the form of Ninja Forms v3.5.8.



Comments are closed.