Popular WordPress Forms plugin Ninja Form recently updated their plugin to patch a severe vulnerability. The vulnerability is rated a high severity because it could allow an attacker to steal admin level access and take over the entire website.
Cross-Site Request Forgery Vulnerability
The exploit that is causing this is called Cross-Site Request Forgery. This kind of vulnerability exploits a lack of a normal security check which then allows an attacker to upload or replace files and even gain administrative access.
This is how the Common Weakness Enumeration site, describes this kind of exploit:
“The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
…it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. …and can result in exposure of data or unintended code execution.”
Ninja Forms High Severity Vulnerability
WordFence WordPress Security discovered the exploit and immediately notified the publishers of the Ninja Forms WordPress plugin. Ninja Forms immediately patched the security vulnerability within 24 hours.
According to WordFence, the vulnerability was contained in a “legacy” mode that controlled styling features that reverted to an older version. It is this part of the code that was affected.
This is how WordFence describes it:
“While all of these functions used capability checks, two of the functions failed to check nonces, which are used to verify that a request was intentionally sent by a legitimate user.
… a malicious script executed in an Administrator’s browser could be used to add new administrative accounts, leading to complete site takeover, while a malicious script executed in a visitor’s browser could be used to redirect that visitor to a malicious site.”
Ninja Forms Changelog
The publishers of the Ninja Forms plugin responsibly updated their plugin in a timely manner. They also honestly reflected what the update was about in their changelog.
A changelog is an explanation of what has changed in a software update. Some plugin makers try to hide what the update was about by not mentioning vulnerabilities.
Ninja Forms honestly reported what the update was about. This is very important for publishers because it alerts them as to whether something should be updated immediately or if it can wait.
This shows that Ninja Forms is a trustworthy and responsible WordPress plugin publisher.
Update Ninja Forms Now
All publishers using Ninja Forms are urged to immediately update their Ninja Forms plugin. Ninja Forms Version 220.127.116.11 is the latest version. If you have an earlier version then you must update your plugin to avoid this severe vulnerability.
Read the WordFence report about the vulnerability here: