An extremely popular form builder plugin for WordPress website builder (Opens in a new tab) with over a million installs is vulnerable to a high severity flaw that could allow threat actors to take control entire website.
Ninja Forms recently released a new patch which, when reverse engineered, included a code injection vulnerability (opens in a new tab) that affected all versions starting with version 3.0.
According to Chloe Chamberland, Threat Intelligence Manager at Wordfence, remote code execution via deserialization allows hackers to take full control of a vulnerable site.
evidence of abuse
"We discovered a code injection vulnerability that allowed unauthenticated attackers to call a limited number of methods on various Ninja Forms classes, including a method that deserialized user-provided content, leading to object injection," Chamberlain said.
"This could allow attackers to execute arbitrary code (opens in a new tab) or delete arbitrary files on sites where a distinct POP string was present."
To make matters worse, the glitch has been observed to be abused in the wild, Wordfence discovered.
The patch was forcibly pushed to most of the affected sites, BleepingComputer discovered. Looking at patch download statistics, more than 730 websites have already been patched. Although the number is encouraging, it still leaves hundreds of thousands of sites vulnerable.
Those who use Ninja Forms and have not yet updated should apply the patch manually, as soon as possible. This can be done from the dashboard and admins need to make sure their plugin is updated to version 3.6.11.
This is not the first time that a very serious flaw has been discovered in Ninja Forms. Approximately two years ago, all versions of the plugin up to 184.108.40.206 were discovered to be affected by the Cross-Site Request Forgery (CSRF) vulnerability. This could have been used to launch stored cross-site scripting (XSS stored) attacks on the user's WordPress sites (opens in a new tab), essentially taking them over.
Via: BleepingComputer (Opens in a new tab)