WordPress Ninja Forms Vulnerability Exposes Over 1 Million Sites



Today it was revealed that the popular WordPress contact form called Ninja Forms fixed two vulnerabilities, affecting over a million WordPress installations. This represents another in a growing list of REST API vulnerabilities that are discovered among many WordPress plugins.

It must be reiterated that there is nothing wrong with the WordPress REST API itself. The issues stem from the way WordPress plugins design their interactions with the REST API.

WordPress REST API

The WordPress REST API is an interface that allows plugins to interact with the WordPress core. The REST API allows plugins, themes, and other applications to manipulate WordPress content and create interactive features.


Continue reading below

This technology extends what the WordPress core can do.

The WordPress core receives data through the REST API of the plugins in order to accomplish these new experiences.

However, like any other interaction that allows for uploading or entering data, it is important to ‘sanitize’ what is entered and who is able to enter, to ensure that the data is what is expected and designed to receive.

Failure to disinfect entries and restrict who can enter data can lead to vulnerabilities.

And that’s exactly what happened here.

Authorization recall vulnerability

Both vulnerabilities were the result of a single REST API validation issue, particularly in permission callbacks.


Continue reading below

Authorization recall is part of the authentication process that restricts access to REST API endpoints to authorized users.

The official WordPress documentation describes an endpoint as a function:

“Endpoints are functions available through the API. This could be things like fetching the API index, updating a post, or deleting a comment. Endpoints perform a specific function, take a number of parameters, and return data to the client.

According to WordPress REST API Documentation:

“Authorization recalls are extremely important for security with the WordPress REST API.

If you have private data that should not be displayed publicly, then you should record permission reminders for your endpoints.

Two vulnerabilities of WordPress Ninja Forms

There were two vulnerabilities which were both related to an error recalling permissions during implementation.

There’s nothing wrong with the WordPress REST API itself, but the way plugin makers implement it can cause issues.

Here are the two vulnerabilities:

  • Disclosure of sensitive information
  • Unprotected REST API to email injection

Sensitive information disclosure vulnerability

The Sensitive Information Disclosure vulnerability allowed any registered user, even a subscriber, to export any forms that had previously been submitted to the website. This includes any confidential information that someone may have submitted.


Continue reading below

Ninja Forms had a permissions reminder that checked if a user was registered, but it didn’t check if the user had an appropriate permission level to perform a mass export of all forms submitted through the WordPress Ninja plugin. Forms.

This failure to verify the user’s permission level is what allowed any registered user, including a website subscriber, to perform a mass export of all submitted forms.

The unprotected REST API for email injection

This vulnerability was caused by the same faulty permissions callback that failed to verify the permission level of the registered attacker. The vulnerability took advantage of a Ninja Forms feature that allows website publishers to send out bulk email notifications or email confirmations in response to form submissions.


Continue reading below

The email injection vulnerability allowed an attacker to use this specific feature of Ninja Forms to send emails from the vulnerable website to any email address.

This particular vulnerability had the potential to initiate a full site takeover or phishing campaign against customers of a website.

According to Wordfence security researchers who discovered the vulnerability:

“This vulnerability could easily be used to create a phishing campaign that could trick unsuspecting users into taking unwanted actions by abusing trust in the domain used to send the email.

Additionally, a more targeted spear phishing attack could be used to trick a site owner into believing that an email was from their own site.

This could be used to trick an administrator into entering their password on a fake login page, or allow an attacker to take advantage of a second vulnerability requiring social engineering, such as Cross-Site Request Forgery or Cross-Site. Scripting, which could be used. for the recovery of the site.


Continue reading below

Immediate update of Recommended Ninja Forms

Security researchers are Wordfence recommend that users of the WordPress Ninja Forms plugin update their plugin immediately.

The vulnerability is classified as medium hazard, with a rating of 6.5 on a scale of 1 to 10.


Read Wordfence’s announcement:

Recently Fixed Vulnerabilities in Ninja Forms Plugin Affect Over 1 Million Site Owners

Ninja Forms Changes Official Journal


Leave A Reply

Your email address will not be published.