Ninja Forms is a popular WordPress plugin for easily creating forms through its drag and drop designer without the need for coding anything by hand. With more than one million installations and overwhelmingly positive reviews, Ninja Forms is a fairly popular plugin.
WordFence recently discovered and privately disclosed four severe vulnerabilities to Saturday Drive, the plugins parent company. Within five days Ninja Forms released a patch that fixed three out of four vulnerabilities. After another notification, Ninja Forms followed up with a second patch nearly two weeks after the first fixing the final flaw.
The first flaw noted was in the SendWP add on, an email delivery service. Because the service is paid and not included with the plugin, it likely had less impact than the other vulnerabilities. Due to missing validations in part of the code, it was possible for any level of registered user to activate the plugin and retrieve the client_secret_key needed to connect to SendWP. This could allow an attacker to monitor an email sent or trigger password reset emails that could then be intercepted, eventually allowing a site takeover if an administrator’s username is discovered.
Another similar vulnerability allowed an attacker to recover the OAuth key used to connect to the Ninja Forms “Add-on Manager.” The Add-on Manager is a central dashboard for managing add-on purchases and allows administrators to provision them on remote WordPress sites. This required a bit of social engineering to trick an administrator into clicking on a link, but eventually allowed an attacker to install any of the purchased add-ons.
An open redirect was found as well, affecting only administrators. At the end of an OAuth authentication process, administrators are redirected back to the Ninja Forms page by default. However, WordFence discovered that there were not sufficient checks for the “redirect” URL parameter and an attacker could make changes to the value that allowed redirection to any location. This would require an administrator to click on a link with the malicious redirect in order to exploit the vulnerability.
The fourth vulnerability found was a cross-site request forgery (CSRF) that could force an OAuth service to disconnect. Once again, this required some social engineering on the attacker’s part to convince an administrator to click a link. With a specially crafted request, clicking on the link would then delete all options associated with that connection. WordFence notes that there would be no critical harm, though this may cause disruption in some services provided by Ninja Forms.