Ninja Forms, a widely utilised WordPress plugin, contains multiple bugs that could allow an attacker to achieve escalated privileges and harvest user information. The researchers who identified the flaws already notified the plugin developers last month. The affected version of the plugin is from version 3.6.25 and older.
Fortunately, the developers immediately released patch 3.6.25 earlier this month to address the vulnerabilities. However, only half of all NinjaForms users have downloaded the latest patch, leaving approximately 400,000 websites vulnerable to risks.
The Ninja Forms plugin has three security vulnerabilities.
According to investigations, the first discovered flaw in the Ninja Forms plugin is CVE-2023-37879, which is a POST-based reflected XSS bug that could enable an unauthenticated user to escalate their privileges and harvest information by deceiving privileged users into visiting a malicious webpage.
The two additional flaws (CVE-2023-38393 and CVE-2023-38386) are broken access control flaws on the plugin’s form submissions export feature. These issues could allow subscribers and contributors to export all the data users have submitted to the affected WordPress website.
Threat analysts explained that the second vulnerability is dangerous since it only requires a Subscriber role user, which is easy to acquire. Any website that supports membership and user registrations would be prone to massive data breach incidents since an attacker could use the flaw in the vulnerable Ninja Forms plugin version.
The updates provided by the plugin admins in the latest patch include additional permission checks for the broken access control problem and access restrictions that prevent the activations of the identified XSS.
The researchers delayed the disclosure of the new vulnerabilities for more than three weeks to prevent hackers from exploiting the bugs. The strategy also allowed the Ninja Forms admins to develop a patch that addresses the security vulnerability. Unfortunately, a significant number of website users still use the Ninja Forms plugin that could yet to employ the new update.
Therefore, all website admins should now get the new patch for the Ninja Forms plugin to prevent unwanted exploits from malicious actors. Lastly, users could disable the plugin from their sites if they do not have the time to update it.
