Two vulnerabilities in the popular Ninja Forms WordPress plugin could’ve enabled threat actors to export sensitive information and send phishing emails from a vulnerable site, report security researchers.
In their breakdown of the vulnerability, cybersecurity researchers from Wordfence, which develops security solutions to protect WordPress installations, note that Ninja Forms boasts of an installation base of over one million websites.
The researchers explain that the vulnerabilities existed because the popular form building plugin relied on an insecure implementation of the mechanism that checks a user’s permissions.
The insecure implementation meant that instead of ensuring a logged-in user had the right permissions to trigger the associated action, the function only checked if the user was in fact logged-in or not, and nothing else.
Who is it?
One of the issues, a bulk submission export vulnerability, could enable any logged-in user, irrespective of their permissions level, to export everything that had ever been submitted to one of the site’s forms.
The other issue enabled any user to send an email from a vulnerable WordPress website to any email address.
“This vulnerability could easily be used to create a phishing campaign that could trick unsuspecting users into performing unwanted actions by abusing the trust in the domain that was used to send the email,” suggests Wordfence, adding that it could also be used to trick the website’s admins as well to facilitate a site takeover campaign.
Wordfence responsibly disclosed the vulnerability to Ninja Forms on August 3, 2021, who acknowledged it immediately and released a patch earlier this month in the form of Ninja Forms v3.5.8.