Three vulnerabilities have been found in the widely used WordPress form-building plugin, Ninja Forms. These security flaws have the potential to enable attackers to perform privilege escalation and compromise user data.
The vulnerabilities were discovered and disclosed to Saturday Drive, the developer of Ninja Forms, by researchers at Patchstack on June 22nd, 2023. The affected versions include NinjaForms 3.6.25 and older.
To address the security issues, the plugin's developers promptly released version 3.6.26 on July 4th, 2023, which contains fixes for the identified vulnerabilities. However, despite the update being available, statistics from WordPress.org indicate that only approximately half of all NinjaForms users have downloaded the latest version. This leaves around 400,000 websites still exposed and susceptible to potential attacks.
Vulnerabilities
Patchstack's discovery revealed the presence of CVE-2023-37979, the first vulnerability, within the system. This flaw, a POST-based reflected XSS (cross-site scripting) issue, permits unauthenticated users to elevate their privileges and pilfer data. It accomplishes this by deceiving privileged users into accessing a specially-crafted webpage that triggers the exploit.
Two additional issues have been identified and labeled as CVE-2023-38393 and CVE-2023-38386. These problems pertain to broken access control within the plugin's form submissions export feature, granting Subscribers and Contributors the ability to export all user-submitted data on the affected WordPress site.
Among the vulnerabilities, CVE-2023-38393 poses a particularly high risk since it only requires the Subscriber role, which is a common and easily attainable user role.
It is crucial to note that any website supporting membership and user registrations and utilising a vulnerable version of the Ninja Forms plugin could be exposed to significant data breach incidents due to this flaw. Both issues are classified as high-severity, with the potential to lead to massive data compromises if not addressed promptly.
In version 3.6.26, the vendor has implemented necessary fixes to address the vulnerabilities. These patches involve the addition of permission checks to rectify the broken access control issues, and function access restrictions have been enforced to prevent the triggering of the identified XSS flaw.
To safeguard Ninja Forms users, the public disclosure of these flaws was deliberately delayed by more than three weeks. This measure aimed to avoid attracting the attention of hackers to the vulnerabilities, giving users time to apply the necessary patches. Unfortunately, despite the extended window, a significant number of users still haven't taken action to secure their systems.
Patchstack's comprehensive coverage provides detailed technical information about the three vulnerabilities, meaning that knowledgeable threat actors could exploit them with relative ease.
For all website admins utilising the Ninja Forms plugin, it is strongly advised to update to version 3.6.26 or a later version immediately. If updating is not feasible at the moment, administrators should disable the plugin on their sites until they can apply the patch to mitigate potential risks. Taking swift action is critical to protect the site and user data from exploitation.
