Ninja Forms, a popular WordPress plugin, has recently patched for critical vulnerabilities; the plugin is active on over 1 million sites. These flaws could result in massive data leaks, allowing hackers to collect vital user information from all over the world.

According to the Wordfence report, there were two critical vulnerabilities: Unprotected REST-API to Sensitive Information Disclosure and Unprotected REST-API to Email Injection, and the affected version was 3.5.7.

The CVSS score for both of these vulnerabilities is 6.5. Each vulnerability assigned a numerical severity score by the CVSS (Common Vulnerability Scoring System). medium rated vulnerabilities.

What is the Unprotected REST-API to Sensitive Information Disclosure?

Using one of the plugin’s features, users can export all submission data. However, in this feature the permission_callback check implemented insecurely, allowing any logged-in user to export all of a site’s submission data.

In this case, the plugin only validating whether or not a user logged in. However, there was no check to see if the user had the necessary permissions to complete the task.

Any logged-in user can export all submission data as a result of this. These data can be important depending on the type of site, and if an attacker has access to them, they can conduct a variety of attacks.

What is the Unprotected REST-API to Email Injection?

The plugin includes a trigger email feature that used to send bulk emails in response to form submissions. Site owners can use this feature to send various types of emails such as confirmation emails, notifications, and so on.

This vulnerability also occurred as a result of the permission_callback check being implemented insecurely. Furthermore, the email-action endpoint executed the trigger email feature. This allowed an attacker to create a completely unique email, complete with body and subject, and send it from the vulnerable site to any email address.

This vulnerability could easily be used to create a phishing campaign that could trick unsuspecting users into performing unwanted actions by abusing the trust in the domain that was used to send the email. In addition, a more targeted spear phishing attack could be used to fool a site owner into believing that an email was coming from their own site. This could be used to trick an administrator into entering their password on a fake login page, or allow an attacker to take advantage of a second vulnerability requiring social engineering, such as Cross-Site Request Forgery or Cross-Site Scripting, which could be used for site takeover.


Vulnerabilities in WordPress plugins is not the first time. We’ve already covered quite a bit of news. Make sure to look into those as well.

If you use the Ninja Forms plugin, to protect your site from the critical vulnerabilities. We recommend that you update to the latest version as soon as possible if you haven’t already.

Please share this on social media if you found it useful. Follow us on Facebook, Twitter, and subscribe to our YouTube channel for more information.

You may also like:

Authentication Bypass Vulnerability in a Popular WordPress Plugin

5 Best WooCommerce Address Autocomplete Plugins