Two vulnerabilities in Ninja Forms plugin affecting 1 Million websites patched

The Wordfence Threat Intelligence team discovered two Ninja Forms vulnerabilities on August 3, 2021. Ninja Forms, is one of the most popular form building plugins for WordPress websites installed on over 1,000,000 sites.

These flaws allowed an attacker to export sensitive information and send arbitrary emails from a vulnerable site that could be used to phish unsuspecting users.

One feature the plugin offers is the ability to export all of a site’s form submissions for reviewing and analyzing submission data. Unfortunately, this was insecurely implemented making it possible for any authenticated user to export all of a site’s submission data.

The plugin registered a rest route /ninja-forms-submissions/export which did in fact use a permissions_callback. However, this check did nothing more than validate whether or not a user was logged in through the is_user_logged_in() function. There was no check to verify if a user had the appropriate permissions to execute the function. This means that any logged-in user could use the /ninja-forms-submissions/export endpoint and export everything that had ever been submitted to one of the site’s forms. Depending on how a site’s forms were configured this data could contain sensitive personally identifiable information (PII) that would provide an attacker with valuable information to conduct other attacks.

Another another functionality in the plugin that was insecurely implemented using the same vulnerable permissions_callback validation.

The plugin registered the /ninja-forms-submissions/email-action endpoint which was intended to trigger bulk email actions on form submissions. This functionality was intended to allow site owners to trigger a variety of email actions like sending an email confirmation, or email notification, in bulk in response to user submissions.

Unfortunately, due to the fact that this functionality used the same permissions_callback check, any authenticated user could trigger an email action using the REST-API endpoint. To make matters worse, the trigger_email_action function executed by the email-action endpoint crafted the email based on values that could be passed in the request. This made it possible for an attacker to craft a completely unique email, which included the body and subject, and then send it from the vulnerable site to any email address.

Read more detailed reports about two flaws in Ninja Forms that have been patched accordingly on WordFence

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 152 other subscribers