Multiple high-severity vulnerabilities have been discovered in Ninja Forms, a popular forms builder plugin for WordPress with over 900,000 active installations.
The plugin, developed by Saturday Drive, allows users to create various types of forms, including contact forms, event registrations, file uploads and payments.
According to a new advisory published by Patchstack security researcher Rafie Muhammad earlier today, the first vulnerability is a POST-based reflected Cross-Site Scripting (XSS) flaw.
Exploiting this vulnerability could allow unauthorized users to steal sensitive information or execute malicious code on a WordPress site. The flaw was assigned CVE-2023-37979 and has been fixed in version 3.6.26 of the plugin.
The second and third vulnerabilities involve broken access control on the form submissions export feature for Authenticated (Subscriber+) and Authenticated (Contributor+) roles. These issues would permit Subscriber and Contributor level users to export all Ninja Forms submissions on a WordPress site, regardless of their intended access privileges.
The vulnerabilities were assigned CVE-2023-38393 and CVE-2023-38386 respectively, and both have also been addressed in version 3.6.26 of the plugin.
To mitigate these security risks, Ninja Forms users must update their plugins to at least version 3.6.26. By doing so, they can ensure their websites are protected from potential exploitation.
“For some cases, plugin or theme code need to call a certain function or class from a user-supplied string,” warned Muhammad.
“Always try to check and restrict which function or class the user could directly call. Also, pay extra attention to an export data action and always implement permission or access control checks to the related functions.”
Read more about WordPress plugin vulnerabilities: WordPress Rushes Out Jetpack Patch to Millions
The discovery of these vulnerabilities was reported to the plugin vendor on June 22 2023. Ninja Forms released version 3.6.26 on July 4 2023, patching the reported issues. Subsequently, on July 25 2023, Patchstack added these vulnerabilities to its vulnerability database.
The patches come weeks after security researchers at Wordfence published a report suggesting a WooCommerce bug was exploited in over one million targeted WordPress attacks.