WordPress

Ninja Forms Plugin Security Vulnerability

Photo of SEO SEO Send an email September 30, 2024
0 5 2 minutes read

A popular WordPress Forms plugin, Ninja Forms, recently updated their plugin to patch a severe vulnerability. The vulnerability is rated high in severity as it could allow an attacker to steal admin-level access and take over the entire website.

Cross-Site Request Forgery Vulnerability

The exploit causing this is known as Cross-Site Request Forgery. This type of vulnerability involves exploiting a lack of standard security checks, allowing an attacker to upload or replace files and even gain administrative access.

This is how the Common Weakness Enumeration site describes this kind of exploit:

“The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

…it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. …and can result in exposure of data or unintended code execution.”

Ninja Forms High Severity Vulnerability

WordFence WordPress Security discovered the exploit and immediately notified the publishers of the Ninja Forms WordPress plugin. Ninja Forms patched the security vulnerability within 24 hours.

According to WordFence, the vulnerability was contained in a “legacy” mode that controlled styling features, reverting to an older version. This part of the code was affected.

This is how WordFence describes it:

“While all of these functions used capability checks, two of the functions failed to check nonces, which are used to verify that a request was intentionally sent by a legitimate user.

…a malicious script executed in an Administrator’s browser could be used to add new administrative accounts, leading to complete site takeover, while a malicious script executed in a visitor’s browser could be used to redirect that visitor to a malicious site.”

Ninja Forms Changelog

The publishers of the Ninja Forms plugin responsibly updated their plugin in a timely manner and clearly explained what the update was about in their changelog.

A changelog is a record of what has changed in a software update. Some plugin makers try to obscure the nature of updates by not mentioning vulnerabilities.

Ninja Forms honestly reported what the update was about, which is very important for publishers. It alerts them whether something needs to be updated immediately or if it can wait. This shows that Ninja Forms is a trustworthy and responsible WordPress plugin publisher.

Update Ninja Forms Now

All publishers using Ninja Forms are urged to immediately update their plugins. Ninja Forms Version 3.4.24.2 is the latest version. Users with earlier versions should update their plugins to avoid this severe vulnerability.

More Resources

  • HTTP or HTTPS? Why You Need a Secure Site
  • How Does Website Security Affect Your SEO?
  • Study Shows Web Security Directly Affects SEO
Photo of SEO SEO Send an email September 30, 2024
0 5 2 minutes read
Photo of SEO

SEO

Related Articles

Matt Mullenweg Accuses WP Engine of Trying to Curtail His Free Speech Amid Dispute

October 21, 2024

WordPress Announces New Executive Director

October 9, 2024

Executive Director of WordPress Steps Down

October 5, 2024

8% of Automattic’s Employees Choose to Resign

October 5, 2024
Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button