An extremely popular form builder plugin for WordPress website builder (opens in new tab) with over a million installs is vulnerable to a high severity flaw that could allow threat actors to complete control of the site.
Ninja Forms recently released a new patch, which, when reverse-engineered, included a code injection vulnerability. (opens in new tab) which affected all versions from 3.0 and up.
According to Threat Intelligence Lead at Wordfence, Chloe Chamberland, remote code execution via deserialization allows threat actors to completely take over a vulnerable website.
Evidence of abuse
“We discovered a code injection vulnerability that allowed unauthenticated attackers to call a limited number of methods on several Ninja Forms classes, including a method that did not serialize user-provided content, resulting in object injection,” Chamberland said.
“This could allow attackers to execute arbitrary code (opens in new tab) or exclude arbitrary files on sites where a separate POP chain was present.”
To make matters even worse, the flaw has been observed being abused in the wild, according to Wordfence.
Patch was forced to most affected locations, BleepingComputer most found. Looking at the patch download statistics, more than 730,000 sites have already been fixed. While the number is encouraging, it still leaves hundreds of thousands of websites vulnerable.
Those who use Ninja Forms and have not yet updated it should apply the fix manually as soon as possible. This can be done from the dashboard, and admins should make sure their plugin is updated to version 3.6.11.
This isn’t the first time a high-severity glitch has been found in Ninja Forms. About two years ago, all plugin versions up to 18.104.22.168 were affected by the Cross-Site Request Forgery (CSRF) vulnerability. This could have been used to launch cross-site scripting attacks stored (XSS stored) on the user’s WordPress (opens in new tab) sites, essentially assuming them.
Through: BleepingComputer (opens in new tab)