Ninja Forms repairs serious flaw and it also allows full site takeover.

With over a million installs, Ninja Forms is a massively popular forms builder plugin for the WordPress website builder. It is vulnerable to a high-severity bug that might allow threat actors to total website takeover.

Ninja Forms recently issued a new patch that, when reverse-engineered, revealed a code injection vulnerability. This vulnerability affected all versions beginning with 3.0.

According to Wordfence threat intelligence, if cyber criminals remotely run code through deserialization, they can entirely take over a vulnerable site. Which in its originality is a piece of bad news for people with the less protected sites.  

Reports of misuse

Wordfence threat intelligence lead discovered a code injection vulnerability that allowed unauthenticated attackers to use a limited number of methods in multiple Ninja Forms classes. I also included one that unserialized user-supplied content, this resulted in Object Injection.

So, hackers can use this to run random code or delete arbitrary files on sites with a separate POP chain.

To make matters worse, Wordfence discovered that the issue was being used in the wild.

According to the technology news website Bleeping Computer, the patch was forced-pushed to the bulk of the impacted sites. As per the patch’s download statistics, over 730,000 websites have already been fixed. Although these numbers are encouraging, however, still hundreds of thousands of websites are now vulnerable to being hacked and taken over.

The users who use Ninja Forms and haven’t upgraded it yet should do it manually as soon as possible. This may be done through the dashboard, and administrators should ensure that their plugin has been upgraded to version 3.6.11.

This is not the first time a critical issue in Ninja Forms has been discovered. In 2020 all versions of the plugin up to 3.4.24.2 were discovered to be vulnerable to the Cross-Site Request Forgery (CSRF) vulnerability. This one could have been used to execute Stored Cross-Site Scripting (Stored XSS) attacks on users’ WordPress sites, therefore taking control of them.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments