Over 800K WordPress sites are at risk due to a flaw in Ninja Forms plugin

The development team oh the Ninja Forms WordPress plugin fixed a high severity security flaw that can let attackers take over websites.

The developers behind the Ninja Forms WordPress plugin have addressed a Cross-Site Request Forgery (CSRF) vulnerability that could lead to Stored Cross-Site Scripting (Stored XSS) attacks.

Ninja Forms is a drag and drop form builder plugin for WordPress builder that allows users to easily create complex forms within just a few minutes.

The WordPress plugin has currently more than 1 million installs, the flaw affects all Ninja Forms versions up to 3.4.24.2.

The issue, rated as a high severity security flaw (CVSS score of 8.8), could be exploited by attackers to inject malicious code and take over websites.

“On April 27, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery(CSRF) vulnerability in Ninja Forms, a WordPress plugin with over 1 million installations.” reads the post published by WordFence. “This vulnerability could allow an attacker to trick an administrator into importing a contact form containing malicious JavaScript and replace any existing contact form with the malicious version.”

The attack scenario sees hackers tricking WordPress admins into clicking specially crafted links that inject the malicious JavaScript code as part of a newly-imported contact form.

Experts from Wordfence explained that hackers could abuse the plugin’s functionality to replace all existing forms on a targeted website with a malicious one.

The Ninja Forms plugin includes a “legacy” mode which allows users to revert its styling and features to those of the plugin’s final 2.9.x version. It leverages multiple AJAX functions that import forms and fields between the “legacy” mode and the default mode. Experts noticed that two of these functions failed to check nonces, this means that they don’t verify the identity of the user that sent a request.

The ninja_forms_ajax_import_form AJAX function is one of them and the issue allows to spoof requests using an administrator’s session after they click a crafted link and import forms containing malicious JavaScript code.

“As such, if an attacker was able to trick an administrator into clicking a crafted link, they could spoof a request using that administrator’s session and import a form containing malicious JavaScript into the site. Worse yet, it was possible to replace any existing form on the site with one of these imported forms by setting the formID $_POST parameter to the ID of an existing form.” continues the post.

“Depending on where the JavaScript was placed in the imported form, it could be executed in a victim’s browser whenever they visited a page containing the form, whenever an Administrator visited the plugin’s Import/Export page, or whenever an Administrator attempted to edit any of the form’s fields,”

Experts explained that the issue allows hackers to carry out a Cross-Site Scripting (XSS) attack, a malicious script executed in an Administrator’s browser could be used to add new administrative accounts, while a malicious script executed in a visitor’s browser could be used to redirect that visitor to a malicious site.

Below the timeline of the issue:

• April 27, 2020 19:00 UTC – Our Threat Intelligence Team discovers and analyzes the vulnerability and verifies that our existing Firewall Rules provide sufficient protection against XSS.
• April 27, 2020 19:24 UTC – We provide full disclosure to the plugin’s developer as per their Responsible Security Disclosure Policy.
• April 27, 2020 20:27 UTC – We receive a response that a patch should be available the next day.
• April 28, 2020 19:00 UTC – Patched version of the plugin released.

At the time of writing, over 800,000 WordPress sites are still using vulnerable versions of the plugin.

A few days ago, WordFence also disclosed another issue affecting the Real-Time Find and Replace WordPress plugin.

Unfortunately, the number of attacks attempting to exploit vulnerabilities in WordPress plugins continues to increase.

A few weeks ago researchers at NinTechNet reported an ongoing campaign that was actively exploiting a zero-day flaw in the WordPress Flexible Checkout Fields for WooCommerce plugin. Other attacks recently observed are:

• Jan. 2020 – An authentication bypass vulnerability in the InfiniteWP plugin that could potentially impact by more than 300,000 sites.
• Jan. 2020 – Over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug in Code Snippets plugin.
• Feb. 2020 – A serious flaw in the ThemeGrill Demo Importer WordPress theme plugin with over 200,000 active installs can be exploited to wipe sites and gain admin access to the site.
• Feb. 2020 – A stored cross-site vulnerability in the GDPR Cookie Consent plugin that could potentially impact 700K users.
• Feb. 2020 – A zero-day vulnerability in the ThemeREX Addons was actively exploited by hackers in the wild to create user accounts with admin permissions.
• March 2020 – The WordPress plugin ‘ThemeREX Addons’ is affected by a critical vulnerability that could allow remote attackers to execute arbitrary code.
• March 2020 – Flaws in the Popup Builder WordPress plugin could allow unauthenticated attackers to inject malicious JavaScript code into popups of 100K+ websites.
• March 2020 – A critical flaw in Rank Math WordPress plugin allows hackers to give users Admins privileges

I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.

Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Ninja Forms, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]