The popular WordPress form-creation tool, Ninja Forms, reportedly houses three vulnerabilities that could pave the way for hackers to escalate privileges and purloin user data.
Cybersecurity firm Patchstack detected these vulnerabilities and communicated them to the software’s developer, Saturday Drive, on June 22nd, 2023. The flaws were identified in Ninja Forms versions 3.6.25 and earlier.
In response, Saturday Drive issued version 3.6.26 on July 4th, 2023, intended to rectify the vulnerabilities. However, according to WordPress.org statistics, approximately half of all Ninja Forms users have not yet installed the latest version, leaving an estimated 400,000 sites exposed to potential cyber-attacks.
Details of the Vulnerabilities
The initial flaw identified by Patchstack, termed CVE-2023-37979, is a POST-based reflected XSS (cross-site scripting) vulnerability. It allows unauthenticated users to augment their privileges and pilfer information by coaxing privileged users into accessing a specifically-designed webpage.
The two subsequent flaws, designated CVE-2023-38393 and CVE-2023-38386, pertain to broken access control issues tied to the plugin’s form submissions export feature. These vulnerabilities enable Subscribers and Contributors to export all user-submitted data from the affected WordPress site.
Despite all the issues being categorized as high-severity, CVE-2023-38393 is particularly perilous. The stipulation of a Subscriber role user, which is relatively easy to fulfill, heightens its risk. WordPress sites that support user registrations and memberships risk severe data breach incidents if they use a susceptible version of the Ninja Forms plugin.
The remedial steps incorporated in version 3.6.26 by Saturday Drive consist of the inclusion of permission checks for the identified broken access control issues and functional access restrictions that obstruct the triggering of the XSS vulnerability.
The public reporting of these flaws was postponed for over three weeks, intended to avert hacker attention while providing time for Ninja Forms users to implement the patch. Notwithstanding, a considerable number of users have not updated their systems.
Patchstack’s report encompasses comprehensive technical information about the flaws, indicating that exploiting them could be straightforward for skilled cybercriminals.
Given these circumstances, website administrators using the Ninja Forms plugin are urged to update to version 3.6.26 or later at the earliest. If immediate updating is not feasible, admins should deactivate the plugin on their sites until the patch can be applied.