Ninja Forms Vulnerability
Team Wordfence have come up with another vulnerability report affecting WordPress sites. This time, the vulnerability existed in the Ninja Forms plugin that boasts over 1 million active installations..
As revealed in their post, they found a CSRF vulnerability in the plugin that appeared due to flaws in two functions. These functions failed to check nonces, thereby failing to verify whether an incoming request is from a legitimate user or not.
One of the affected functions includes
ninja_forms_ajax_import_form that imports forms with HTML content.
According to the researchers, like every XSS, exploiting this flaw could allow lead to creating rogue admin accounts, takeover target sites, and redirect site visitors to malicious links.
Developers Patched the Flaw
Upon finding the vulnerability, Wordfence quickly reached out to Ninja Forms developers. Within hours of their report, the developers patched the flaw. The researchers have appreciated the Vulnerability Disclosure Program implemented by Ninja Forms developers. Since, because of this VDP, they could quickly notify the developers about the flaw.
The plugin’s website also reflects the fix in the changelog, where the developers have mentioned the fix with version 18.104.22.168. Since the patch is available, users must ensure updating their sites with the latest plugin version to avoid any exploitation.
Just before this one, the researchers also highlighted similar vulnerability in another WordPress plugin Real-Time Find and Replace. Exploiting that flaw could also allow creating rogue admin accounts and complete site takeovers.
Let us know your thoughts in the comments.