Recently, two vulnerabilities were found with the very popular Ninja Forms plugin for WordPress. Ninja Forms is a feature rich plugin installed on over 1 million WordPress sites that provides highly customizable contact forms.
What was found? The two vulnerabilities that were found are both related to an error in the implementation of a permissions callback. It is important to note that there is nothing wrong with the WordPress REST API itself, but it’s how the plugin developer implemented it that lead to the vulnerabilities. The following are the two vulnerabilities that were recently found:
- Unprotected REST-API to Email Injection
- Sensitive Information Disclosure
Unprotected REST-API to Email Injection This vulnerability takes advantage of a Ninja Forms function which allows website publishers to send out bulk email notifications and/or confirmations when responding to form submissions. This Email Injection vulnerability allows a malicious attacker to leverage this Ninja Forms functionality to blast emails from the website to any email address it wants. In addition to bulk emails, this vulnerability also gave the attacker the opportunity to take control of a website or use the website as a phishing campaign against website visitors. Sensitive Information Disclosure Vulnerability The Sensitive Information Disclosure Vulnerability also took advantage of the same REST API error as the Unprotected REST-API to Email Injection. This vulnerability allowed any register user to export every form that had ever been submitted on the website through Ninja Forms. It’s possible that these forms could contain personal and confidential information about the submitter. The Ninja Forms used a permissions callback that would verify that a user was a registered user to the website, but it failed to check the proper permission levels of that user. With this, an attacker could bulk export all of the forms ever submitted on the site, even as only a subscriber. What can you do? If your website uses Ninja Forms, it is highly recommended that you update to the most recent version, currently 3.5.8. On September 7, 2021, Ninja Forms patched these vulnerabilities with version 3.5.8.