A hugely popular forms builder plugin for the WordPress website builder (opens in new tab) with more than a million installations is vulnerable to a high-severity flaw that could allow threat actors complete website takeover.
Ninja Forms has recently released a new patch, which when reverse-engineered, included a code injection vulnerability (opens in new tab) that affected all versions from 3.0 upwards.
According to Wordfence threat intelligence lead Chloe Chamberland, remotely executing code via deserialization allows threat actors to completely take over a vulnerable site.
Evidence of abuse
“We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” Chamberland said.
“This could allow attackers to execute arbitrary code (opens in new tab) or delete arbitrary files on sites where a separate POP chain was present.”
To make things even worse, the flaw was observed being abused in the wild, Wordfence further found.
The patch was force-pushed to the majority of the affected sites, BleepingComputer further found. Looking at the download statistics for the patch, more than 730,000 websites have already been patched. While the number is encouraging, it still leaves hundreds of thousands of vulnerable sites.
Those that use Ninja Forms and haven’t updated it yet, should apply the fix manually, as soon as possible. That can be done from the dashboard, and admins should make sure their plugin is updated to version 3.6.11.
This is not the first time a high-severity flaw was found in Ninja Forms. Roughly two years ago, all versions of the plugin up to 22.214.171.124 were found to have been affected by the Cross-Site Request Forgery (CSRF) vulnerability. This one could have been used to launch Stored Cross-Site Scripting (Stored XSS) attacks on user’s WordPress (opens in new tab) sites, essentially taking them over.