A high-severity Cross-Site Request Forgery (CSRF) vulnerability was discovered in the WordPress Form plugin Ninja Forms that could
allow hackers to upload or replace existing contact forms with the malicious version and even gain full administrator access.
Ninja Forms is a drag and drop form builder for WordPress that claims to provide an interface for its users to build complex forms and integrate on their websites. The plugin also offer optional forms for accepting payments via PayPal, Stripe, and more.
It is currently used by more than 1 million website owners and any of these websites could be easily hacked if their Ninja Forms plugin is not updated.
The vulnerable versions of the Ninja Forms WordPress plugin are lower than v22.214.171.124.
As part of the Legacy mode feature, “it adds several AJAX functions which appear to be intended to import forms and fields between the “legacy” mode and the default mode. While all of these functions used capability checks, two of the functions failed to check nonces, which are used to verify that a request was intentionally sent by a legitimate user,” Wordfence report describes.
It could also further allow hackers to perform Cross-site Scripting (XSS) attacks and take over the complete site access.
Here’s a vulnerability disclosure timeline provided by Wordfence:
- April 27, 2020 19:00 UTC – Wordfence Threat Intelligence discovers and analyzes vulnerability.
- April 27, 2020 19:24 UTC – Full vulnerability disclosure sent to the plugin’s developer as per their Responsible Security Disclosure Policy.
- April 27, 2020 20:27 UTC – Wordfence received a response from the dev team that the patched should be available the next day.
- April 28, 2020 19:00 UTC – Patched version of the plugin released (v126.96.36.199)
On 27th April, Wordfence’s research team shared the discovery report with Ninja Forms, and a day later, on 28th April, the developers at Ninja Forms issued an updated version of the plugin by fixing their existing code.
“One of the reasons this plugin was patched so quickly was because the plugin’s team maintains a Responsible Security Disclosure Policy, often referred to as a Vulnerability Disclosure Policy,” report by Wordfence further added.
If you are one of the 1 Million+ customers of Ninja Forms using their plugin for your WordPress, it is highly recommended that you should update the plugin to the fully patched version 188.8.131.52.