Three high-severity vulnerabilities have been identified in a popular form builder plugin for WordPress – Ninja Forms – with over 900,000 active installations. The vulnerabilities were identified by researchers at Patchstack who disclosed the vulnerabilities to the plugin developer – Saturday Drive – on June 22, 2023. Saturday Drive released an updated version of the plugin – v3.6.26 – on July 4, 2023, which addresses all three vulnerabilities.
Patchstack recently published an advisory about the flaws now that around half of the affected sites have applied the update; however, that means approximately 400,000 websites have a vulnerable version of Ninja Forms installed and are therefore vulnerable to attacks exploiting the flaw.
CVE-2023-37979 is a POST-based reflective cross-site scripting (XSS) flaw that could be exploited by an unauthenticated user to escalate privileges and steal information. The flaw can be exploited by tricking a user into visiting a specially crafted web page. The vulnerability has been assigned a CVSS v3.1 base score of 7.1.
CVE-2023-38393 and CVE-2023-38386 are both due to broken access control on the form submissions export feature for authenticated Subscriber and Authenticated Contributor+ roles. Successful exploitation of the flaws would allow an attacker to export all Ninja Forms submissions of a WordPress site.
Both flaws have been assigned a CVSS base score of 7.5, although CVE-2023-38393 is the more worrying vulnerability as it can be exploited by a Subscriber role. Any website running a vulnerable version of the Ninja Forms plugin that supports memberships and user registrations could easily have the flaw exploited. Since all Ninja Form submissions could be stolen, the resultant data breach could be considerable. Now that PatchStack has published its advisory, there is an increased risk of exploitation.
All website admins should ensure that they update Ninja Forms to the latest version as soon as possible. “For some cases, plugin or theme code need to call certain function or class from user supplied string. Always try to check and restrict which function or class the user could directly call. Also pay extra attention to an export data action and always implement permission or access control check to the related functions,” suggest the researchers.