Tag: Ninja Forms

Two vulnerabilities in Ninja Forms plugin affecting 1 Million websites patched

Two vulnerabilities in Ninja Forms plugin affecting 1 Million websites patched

Plugins, Security
The Wordfence Threat Intelligence team discovered two Ninja Forms vulnerabilities on August 3, 2021. Ninja Forms, is one of the most popular form building plugins for WordPress websites installed on over 1,000,000 sites. These flaws allowed an attacker to export sensitive information and send arbitrary emails from a vulnerable site that could be used to phish unsuspecting users. One feature the plugin offers is the ability to export all of a site’s form submissions for reviewing and analyzing submission data. Unfortunately, this was insecurely implemented making it possible for any authenticated user to export all of a site’s submission data. The plugin registered a rest route /ninja-forms-submissions/export which did in fact use a permissions_callback. However, this check did not