One of the WordPress popular forms plugin Ninja Forms has recently updated its plugin to fix a serious vulnerability. The vulnerability rated highly, because it may allow an attacker to enter the level of administration. And take over the entire website.
More about the Cross-Site Request Forgery Vulnerability
The vulnerability causing called Cross-Site Request Forgery. Also, this type of vulnerability exploits the absence of a normal security check. And, that allows an attacker to upload or replace files, and even gain administrative access.
This is how the site of the Common Vulnerability Enumeration explains such exploit:
“The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
…it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. …and can result in the exposure of data or unintended code execution.”
Ninja Forms High Severity Vulnerability
WordFence WordPress Security discovered the hack and alerted the Ninja Forms WordPress plug-in publishers immediately. Within 24 hours Ninja Forms instantly patched the vulnerability.
The vulnerability found in a “legacy” mode that managed styling features. And, that restored to an older version, according to WordFence.
In addition, Wordfence described the vulnerability:
“While all of these functions used capability checks, two of the functions failed to check nonces. That use to verify that a request intentionally sent by a legitimate user.
In addition, a malicious script executed in an Administrator’s browser could be used to add new administrative accounts, leading to complete site takeover. While a malicious script executed in a visitor’s browser could be used to redirect that visitor to a malicious site.”
Ninja Forms plugin developers have updated their plugin responsibly. Also, their changelog often honestly represents what the update was about.
Moreover, a changelog is a description of what a software update has changed. However, though not stating vulnerabilities, some plugin makers seek to hide what the update was about.
Ninja Forms has posted frankly on what the update was. It is very useful to publishers as it alerts them whether it should be urgently updated or whether it should wait.
That shows that Ninja Forms is a reliable and responsible publisher of WordPress plugins.
Update the Ninja Forms Plugin
All websites that use Ninja Forms encouraged to update their Ninja Forms plug-in immediately. That is the recent version is Ninja Forms Version 18.104.22.168. And, If you have an older version then you need to upgrade your plugin to avoid this severe vulnerability.
You may also like: