Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Three flaws in Ninja Forms plugin for WordPress impact 900K sites

Experts warn of vulnerabilities impacting the Ninja Forms plugin for WordPress that could be exploited for escalating privileges and data theft. The Ninja Forms plugin for WordPress is affected by multiple vulnerabilities (tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393) that can be exploited by threat actors to escalate privileges and steal sensitive data. The WordPress plugin Ninja […]

WordPRess plugin Ninja Forms

Experts warn of vulnerabilities impacting the Ninja Forms plugin for WordPress that could be exploited for escalating privileges and data theft.

The Ninja Forms plugin for WordPress is affected by multiple vulnerabilities (tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393) that can be exploited by threat actors to escalate privileges and steal sensitive data.

The WordPress plugin Ninja Forms is the most popular forms builder plugin, it has more than 900,000 active installations.

WordPRess plugin Ninja Forms

Developers can use this plugin to create any type of form, including contact forms and payment forms.

The first vulnerability, tracked as CVE-2023-37979, is a POST-based reflected XSS that can be exploited by an unauthenticated user to steal sensitive information to, in this case, privilege escalation on the WordPress site. The attacker can trigger the issue by tricking privileged users into visiting a crafted website.

The second and third vulnerabilities, tracked as CVE-2023-38393 and CVE-2023-38386, are a broken access control on form submissions export feature. Subscriber and Contributor role user can exploit the flaws to export all of the Ninja Forms submissions on a WordPress site.

The vulnerabilities were addressed with the release of version 3.6.26.

“For some cases, plugin or theme code need to call certain function or class from user supplied string. Always try to check and restrict which function or class the user could directly call. Also pay extra attention to an export data action and always implement permission or access control check to the related functions.” reads the post published by PatchStack.

Below is the timeline for the above issues:

  • 22 June, 2023We found the vulnerability and reached out to the plugin vendor.
  • 04 July, 2023Ninja Forms version 3.6.26 was published to patch the reported issue.
  • 25 July, 2023Added the vulnerabilities to the Patchstack vulnerability database.
  • 27 July, 2023Security advisory article publicly released.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ninja Forms plugin)