WordPress Plugin – Ninja Forms is highly vulnerable
Ninja Forms is a free form builder WordPress plugin. Users can create beautifully functional forms using this plugin. It requires no extra coding skills. Around 1 million sites use this plugin. But this plugin contains four hypercritical vulnerabilities. So this gives the attacker a chance to take charge of the WordPress site and exploit it.
The four vulnerabilities let even the user who has just registered to conduct malicious activity. These malicious activities include eavesdropping on e-mail sites, controlling admin accounts, and also redirecting the owners to hostile destinations.
Three bugs of the detected four require some social engineering skills to be effective.
The following bugs were detected:
1. Email Hijacking & Account Takeover (Bug 1)
This bug allows even the attackers who have just subscribed to misuse SendWP for mail interception. This can also include a password resetting link.
“At that point, they can monitor all data emailed which could range from using personally identifiable information (PII) from form submissions to reports generated on your site,” researchers warned. “Further, an attacker could trigger a password reset for an administrative user account, if they could discover the username for an account.”
According to reports of the Wordfence Analysis, this is an easily achievable task.
“In order to provide this functionality, the plugin registers the AJAX action wp_ajax_ninja_forms_sendwp_remote_install,” researchers explained. “This AJAX action is tied to the function wp_ajax_ninja_forms_sendwp_remote_install_handler, that checks to see if the SendWP plugin is installed and activated. If the plugin is not currently installed, then it performs the installation and activation of the SendWP plugin.”
“Unfortunately, this AJAX action did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP plugin and retrieve the client_secret key needed to establish the SendWP connection,” according to the analysis.
2. Related to OAuth (Bug 2)
According to the Wordfence report, cybercriminals can set up an authenticated OAuth connection for an unprotected WordPress site. Also, this can be done quite easily using their personal account. As a result, they will have access to install all paid Add-On plugins
“The plugin registers the AJAX action wp_ajax_nf_oauth which is used to retrieve the connection_url that contains the information necessary, like the client_secret, to establish an OAuth connection with the Ninja Forms Add-On Management portal,” according to the analysis. “Unfortunately, there was no capability check on this function.”
3. Disconnecting the on-going OAuth connection(Bug 3)
This bug is of medium severity. Cybercriminals can send a request of disconnecting the ongoing OAuth connection. Wordfence noted that this “could be a puzzling experience for a site owner.”
“In order to provide this functionality, the plugin registered an AJAX action wp_ajax_nf_oauth_disconnect tied to the function disconnect(). The disconnect() function would simply disconnect an established connection by deleting the options associated with the connection settings in the database,” according to Wordfence. “Unfortunately, this feature did not have nonce protection.”
4. Tricking the administrator(Bug 4)
This last bug is there in the OAuth connection process. To make use of this, the attacker will have to design a customized URL having the ‘redirect’ parameter. Then set an arbitrary site, and trick an administrator to click the link. If the administrator clicks, he would be taken to a malicious website which would further infect his system with malware.
“The plugin registers an AJAX action, wp_ajax_nf_oauth_connect, that is registered to the function connect() which is used to redirect a site owner back to the WordPress site’s Ninja Forms service page after the user has finished the OAuth connection process,” according to the analysis. “This function uses wp_safe_redirect to redirect site owners back to the admin.php?page=ninja-forms#services page by default.”
“There is no protection on the redirection URL validating where the redirect goes, nor was there any protection to prevent an attacker from using the function to redirect a site administrator to a malicious location,” researchers explained. “There was the use of wp_verify_nonce(), however, it was commented out and rendered unusable.”
Saturday Drive which is this plugin’s parent organization has rectified all the bugs.