The Ninja Forms WordPress plugin has a severe security flaw that could result in website takeover through the creation of new administrator accounts.
Ninja Forms plugin which has more than one million active installations is a drag-and-drop contact form created for websites running on the WordPress Content Management System (CMS).
A vulnerability in the plugin was disclosed by the Wordfence Threat Intelligence team on April 29.
This high-severity bug, having a CVSS score of 8.8, is a Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS) vulnerability in the Ninja Forms “legacy” mode system.
The legacy mode allowed the user to select styling and features based on an older version of the plugin, version 2.9. Ajax forms are in place which facilitate the transfer of forms and fields between legacy mode options and default modes, however, two of the functions failed to validate requests properly and one of the functions — ninja_forms_ajax_import_form — also allowed the import of custom HTML.
If an attacker manages to dupe an admin account holder into clicking a crafted, malicious link, they could spoof an admin session and import a malicious contact form to replace existing, legitimate scripts.
A malicious script executed in an administrator’s browser could be used to add new administrative accounts, leading to complete site takeover.
A malicious script executed in a visitor’s browser could be used to redirect that visitor to a malicious site.
The CSRF to XSS security flaw was reported to Ninja Forms and within hours the plugin developer informed that they are working on a fix and eventually a security patch was released as Ninja Forms version 220.127.116.11.
The users of the plugin must ensure that they are running the current updated version of the plugin to stay protected.