Ninja Forms WordPress plugin patch prevents takeover of 1M sites

The developers of Ninja Forms, a WordPress plugin with more than 1 million installations, have fixed a high severity security vulnerability that can let attackers inject malicious code and take over websites using an unpatched version of the plugin.

The vulnerability is a Cross-Site Request Forgery (CSRF) that leads to Stored Cross-Site Scripting (Stored XSS) attacks and it affects all Ninja Forms versions up to 3.4.24.2.

Attackers can exploit this Ninja Forms bug by tricking WordPress admins into clicking specially crafted links that inject malicious JavaScript code as part of a newly-imported contact form.

Ninja Forms is a form builder plugin that allows WordPress users to create complex forms within just a few minutes with the help of a drag and drop based editor.

Forms with malicious code

An attacker can abuse the plugin's functionality to replace all existing forms on a targeted website with a malicious one as detailed in research published today by Wordfence QA Engineer Ram Gall.

To do this, the threat actors can abuse the ninja_forms_ajax_import_form AJAX function added by the plugin's 'legacy” mode which enables reverting to styling and features available in older versions.

This function does not check if requests are originating from legitimate users and, thus, makes it possible to spoof requests using an administrator’s session after they click a crafted link and import forms containing malicious JavaScript code.

All existing forms on the attacked site can also be replaced with malicious ones after manipulating their formID $_POST parameter.

"Depending on where the JavaScript was placed in the imported form, it could be executed in a victim’s browser whenever they visited a page containing the form, whenever an Administrator visited the plugin’s Import/Export page, or whenever an Administrator attempted to edit any of the form’s fields," Gall explained.

"As is typical with Cross-Site Scripting (XSS) attacks, a malicious script executed in an Administrator’s browser could be used to add new administrative accounts, leading to complete site takeover, while a malicious script executed in a visitor’s browser could be used to redirect that visitor to a malicious site."

Over 800,000 sites still exposed

The vulnerability was discovered and reported responsibly to Ninja Forms' developer Saturday Drive by Wordfence on April 27 and a security fix for the issue was published with version 3.4.24.2 within less than a day after the initial disclosure report.

Wordfence has rated this security issue with a CVSS score of 8.8 which makes it a high severity vulnerability, which should prompt all Ninja Forms users to immediately update the plugin to version 3.4.24.2, the release which fully patches it.

However, despite the promptly released security patch its availability for almost three days, only a little over 170,000 of all 1 million users have updated their installations to the last, bug-free version during the last week.

Earlier this week, users of the Real-Time Find and Replace plugin were also urged to patch their installations to block attackers from creating rogue admin accounts by exploiting a similar CSRF security flaw discovered on April 22.

Just as in this case, although the plugin has over 100,000 users, only a small number of them have installed the security fix provided within a few hours.

Comments are closed.