Cybersecurity specialists notified WordPress of the detection of two vulnerabilities in the popular Ninja Forms plugin. According to the report, successful exploitation of the flaws could allow malicious hackers to extract sensitive information and send phishing emails from compromised websites.
The report, presented by Wordfence, mentions that the flaw in this plugin with more than one million active installations exists because its main function for creating shapes is based on an insecure implementation of the mechanism that verifies a user’s permissions.
This means that instead of ensuring that a logged-in user had the appropriate permissions to perform certain actions, Ninja Forms only checks whether the user is logged in or not.
The first flaw, described as a bulk mail export error, would allow any logged-on user to export everything that has ever been sent to one of the site’s forms, regardless of their privilege level.
On the other hand, the exploitation of the second bug allowed any user to send an email from a vulnerable WordPress site to any email address. The report adds that the flaws could easily be exploited in order to deploy an ambitious phishing campaign to trick thousands of unsuspecting users and force them to perform malicious actions.
The researchers reported the vulnerabilities to Ninja Forms in early August and adhered to established guidelines in the cybersecurity community. The developers of the vulnerable plugin immediately recognized the issues and issued a security patch, released alongside Ninja Forms v3.5.8.
Users of compromised versions of the plugin are strongly requested to install updates as soon as possible. It is worth mentioning that at the moment no attempts of active exploitation of these failures have been detected, although users should not ignore the reports and updates.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.