2 WordPress Nija forms plugins allow hacking millions wordpress websites
Cybersecurity specialists notified of the detection of two vulnerabilities in the popular Ninja Forms plugin. According to the report, successful exploitation of the flaws could allow malicious hackers to extract sensitive information and send emails from compromised websites.
The report, presented by Wordfence, mentions that the flaw in this plugin with more than one million active installations exists because its main function for creating shapes is based on an insecure implementation of the mechanism that verifies a user’s permissions.
This means that instead of ensuring that a logged-in user had the appropriate permissions to perform certain actions, Ninja Forms only checks whether the user is logged in or not.
The first flaw, described as a bulk mail export error, would allow any logged-on user to export everything that has ever been sent to one of the site’s forms, regardless of their privilege level.
On the other hand, the exploitation of the second bug allowed any user to send an email from a vulnerable WordPress site to any email address. The report adds that the flaws could easily be exploited in order to deploy an ambitious phishing campaign to trick thousands of unsuspecting users and force them to perform malicious actions.
The researchers reported the vulnerabilities to Ninja Forms in early August and adhered to established guidelines in the cybersecurity community. The developers of the vulnerable plugin immediately recognized the issues and issued a security patch, released alongside Ninja Forms v3.5.8.
Users of compromised versions of the plugin are strongly requested to install updates as soon as possible. It is worth mentioning that at the moment no attempts of active exploitation of these failures have been detected, although users should not ignore the reports and updates.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
Originally published at https://www.securitynewspaper.com on September 24, 2021.