Three flaws in Ninja Forms plugin for WordPress impact 900K sites

Experts warn of vulnerabilities impacting the Ninja Forms plugin for WordPress that could be exploited for escalating privileges and data theft.

The Ninja Forms plugin for WordPress is affected by multiple vulnerabilities (tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393) that can be exploited by threat actors to escalate privileges and steal sensitive data.

The WordPress plugin Ninja Forms is the most popular forms builder plugin, it has more than 900,000 active installations.

Developers can use this plugin to create any type of form, including contact forms and payment forms.

The first vulnerability, tracked as CVE-2023-37979, is a POST-based reflected XSS that can be exploited by an unauthenticated user to steal sensitive information to, in this case, privilege escalation on the WordPress site. The attacker can trigger the issue by tricking privileged users into visiting a crafted website.

The second and third vulnerabilities, tracked as CVE-2023-38393 and CVE-2023-38386, are a broken access control on form submissions export feature. Subscriber and Contributor role user can exploit the flaws to export all of the Ninja Forms submissions on a WordPress site.

The vulnerabilities were addressed with the release of version 3.6.26.

“For some cases, plugin or theme code need to call certain function or class from user supplied string. Always try to check and restrict which function or class the user could directly call. Also pay extra attention to an export data action and always implement permission or access control check to the related functions.” reads the post published by PatchStack.

Below is the timeline for the above issues:

• 22 June, 2023We found the vulnerability and reached out to the plugin vendor.
• 04 July, 2023Ninja Forms version 3.6.26 was published to patch the reported issue.
• 25 July, 2023Added the vulnerabilities to the Patchstack vulnerability database.
• 27 July, 2023Security advisory article publicly released.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ninja Forms plugin)