High Severity Vulnerabilities Discovered in Ninja Forms Plugin

Cyber Security Threat Summary:
Multiple critical vulnerabilities have been detected in Ninja Forms. a widely used WordPress forms builder plugin with more than 900,000 active installations. The plugin, created by Saturday Drive, enables users to generate a wide range of forms such as contact forms, event registration, file uploads, and payments. Security researchers from Patchstack published a new advisory revealing the presence of the first vulnerability which is a reflected cross site scripting flaw based on POST requests.

“Exploiting this vulnerability could allow unauthorized users to steal sensitive information or execute malicious code on a WordPress site. The flaw was assigned CVE-2023-37979 and has been fixed in version 3.6.26 of the plugin. The second and third vulnerabilities involve broken access control on the form submissions export feature for Authenticated (Subscriber+) and Authenticated (Contributor+) roles. These issues would permit Subscriber and Contributor level users to export all Ninja Forms submissions on a WordPress site, regardless of their intended access privileges. The vulnerabilities were assigned CVE-2023-38393 and CVE-2023-38386 respectively, and both have also been addressed in version 3.6.26 of the plugin (InfoSecurityMagazine, 2023).

Security Officer Comments:
In June, the identification of these vulnerabilities was communicated to the plugin vendor. Consequently on July 4, 2023, Ninja Forms issued version 3.6.23, which effectively addressed the reported issues. Following this on July 25, 2023, Patchstack included these vulnerabilities in its vulnerability database. The security patches were implemented several weeks after Wordfence’s research report, which highlighted the exploitation of a WooCommerce bug in more than one million WordPress attacks.

Suggested Correction(s):
To mitigate these security risks, Ninja Forms users must update their plugins to at least version 3.6.26. By doing so, they can ensure their websites are protected from potential exploitation.

Link(s):
https://www.bleepingcomputer.com/