CSRF To XSS Vulnerability In Ninja Forms Risked Over 1 Million WordPress Sites

A vulnerability in popular Ninja Forms plugin posed a threat to over a million WordPress sites. This CSRF vulnerability could allow an attacker to execute malicious JavaScript on target websites.

Ninja Forms Vulnerability

Team Wordfence have come up with another vulnerability report affecting WordPress sites. This time, the vulnerability existed in the Ninja Forms plugin that boasts over 1 million active installations..

As revealed in their post, they found a CSRF vulnerability in the plugin that appeared due to flaws in two functions. These functions failed to check nonces, thereby failing to verify whether an incoming request is from a legitimate user or not.

One of the affected functions includes ninja_forms_ajax_import_form that imports forms with HTML content.

To exploit the bug, an attacker merely had to send a maliciously crafted link to the site administrator. Clicking on this link would then import malicious JavaScript to the site using the admin’s session. Moreover, the attacker could also replace an existing form on the site with the malicious one.

According to the researchers, like every XSS, exploiting this flaw could allow lead to creating rogue admin accounts, takeover target sites, and redirect site visitors to malicious links.

Developers Patched the Flaw

Upon finding the vulnerability, Wordfence quickly reached out to Ninja Forms developers. Within hours of their report, the developers patched the flaw. The researchers have appreciated the Vulnerability Disclosure Program implemented by Ninja Forms developers. Since, because of this VDP, they could quickly notify the developers about the flaw.

The plugin’s website also reflects the fix in the changelog, where the developers have mentioned the fix with version 3.4.24.2. Since the patch is available, users must ensure updating their sites with the latest plugin version to avoid any exploitation.

Just before this one, the researchers also highlighted similar vulnerability in another WordPress plugin Real-Time Find and Replace. Exploiting that flaw could also allow creating rogue admin accounts and complete site takeovers.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients