Three vulnerabilities have been discovered in the popular WordPress form-building plugin Ninja Forms which has over 800,000 active installations worldwide. The vulnerabilities, which affect Ninja Forms versions 3.6.25 and older, could provide hackers with the opportunity to steal data that has been submitted to the form with minimal effort.
The first vulnerability, designated CVE-2023-37979, is a cross-site scripting (XSS) bug that allows unauthenticated users to escalate privileges and steal information by duping privileged users into visiting a purpose-built webpage. The remaining vulnerabilities, designated CVE-2023-38393 and CVE-2023-38386, allow users with subscriber and contributor accounts to export all the data that every user has submitted on the site. Obtaining a subscriber account is usually an automated process an attacker can undertake in a matter of seconds on any WordPress site that allows user registration.
The flaws were responsibly disclosed to the plugin’s developer, Saturday Drive, in June 2023, which was able to develop and release the patch three weeks later. However, despite the patch being released on July 4th, 2023, less than half the Ninja Forms installations have been upgraded to the secure version. Given the technical research that has been published regarding the vulnerabilities and the availability of a patch to be reverse-engineered, knowledgeable threat actors likely have all they need to conduct attacks against the unpatched plugin.
Source: Bleeping Computer
Analysis
WordPress is a popular content management system due to its affordability, ease of use, and repository of nearly 60,000 plugins. Unfortunately, it’s also a popular target for threat actors looking for infrastructure to host malware or serve as part of their command and control (C2) networks, due to the plethora of plugins users can install into their WordPress applications that are often misconfigured and not regularly updated.
For example, in early July 2023, WordPress advised its users to uninstall the popular Ultimate Member plugin until a patch was released to address a zero-day privilege escalation vulnerability. The flaw allowed threat actors to change their user meta value to define their role as an administrator, providing them with complete access to the site.
Mitigation
Field Effect strongly encourages users of the Ninja Forms plugin to update to the latest version as soon as possible.
References
