Ninja Forms WordPress bug exposes users to XSS attacks, website hijacking


The Ninja Forms WordPress plugin has a severe security flaw that could result in website takeover through the creation of new administrator accounts.

Ninja Forms plugin which has more than one million active installations is a drag-and-drop contact form created for websites running on the WordPress Content Management System (CMS).

A vulnerability in the plugin was disclosed by the Wordfence Threat Intelligence team on April 29.

This high-severity bug, having a CVSS score of 8.8, is a Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS) vulnerability in the Ninja Forms “legacy” mode system.

The legacy mode allowed the user to select styling and features based on an older version of the plugin, version 2.9. Ajax forms are in place which facilitate the transfer of forms and fields between legacy mode options and default modes, however, two of the functions failed to validate requests properly and one of the functions — ninja_forms_ajax_import_form — also allowed the import of custom HTML.

If an attacker manages to dupe an admin account holder into clicking a crafted, malicious link, they could spoof an admin session and import a malicious contact form to replace existing, legitimate scripts.

Depending on where malicious JavaScript code settles, it could also be executed in a victim’s browser whenever they visited a page containing the form, or when an admin attempted to edit form fields.

A malicious script executed in an administrator’s browser could be used to add new administrative accounts, leading to complete site takeover.

A malicious script executed in a visitor’s browser could be used to redirect that visitor to a malicious site.

The CSRF to XSS security flaw was reported to Ninja Forms and within hours the plugin developer informed that they are working on a fix and eventually a security patch was released as Ninja Forms version

The users of the plugin must ensure that they are running the current updated version of the plugin to stay protected.

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    EventBot Android Trojan targets over 200 financial apps

    Previous article

    Tokopedia Data Breach exposes 15m user accounts

    Next article

    You may also like


    Leave a reply

    Your email address will not be published. Required fields are marked *