Though versatile and easy-to-manage, WordPress and its plugins have a long history of being easy-to-exploit. The recent Wordpress plugin to come under fire is ‘Ninja Forms’.
Ninja Forms is a widely used WordPress form that can be customized using drag and drop functionality. It’s attractive design, easy integration, and multiple features & add-ons make it a popular choice among WordPress website owners. As a result, this plugin remains in-demand and currently has over 1 Million active installations.
But on April 27, 2020,Wordfence, a WordPress security firm, detected an anomaly in the Ninja Forms plugin. The reported bug, CVE-2020-12462, has been issued a high-severity 8.8 CVSS score. It imposes the threat of creating a new administrator account, so the attacker can subsequently take full control of the site. This is hands down the best WordPress hack a hacker can hope for.
WordPress Ninja Forms Exploit Explained: How it Works?
The latest Ninja Forms bug is the hack-child of CSRF (Cross Site Request Forgery) to XSS (Stored Cross Site Scripting) Vulnerability, and takes place in the “legacy” mode of the plugin.
- What is CSRF?
CSRF attack works by tricking the end-user/ browser to follow the attacker’s crafted malicious path. Here the attacker gains user’s privileges/ permissions to perform an unwanted activity on victim’s behalf. For example:
- What is XSS?
XSS attack works by injecting a malicious code in a vulnerable website. Here the target is a website visitor who’s browser gets infected upon visiting said webpage. For example:
Background - CSRF Vulnerability Found
Let us share some background on what is Legacy Mode in Ninja Forms and how it works? Legacy mode simply allows users to style the forms using previous version (v 2.9.x) features. This transition between the default modes and legacy modes is made possible by Ajax forms. Here the Ninja Forms got defenseless and failed to validate 2 function requests. This is where CSRF vulnerability in Ninja Forms comes into play as these functions should have verified the user’s legitimacy and request permissions. Out of these, one function in particular ‘ninja_forms_ajax_import_form’ lets you import custom HTML forms.
The Action - XSS Vulnerability Exploited
This is a typical XSS attack on Ninja Forms, where the malicious code will get executed in the administrator’s browser, eventually leading to:
- Ability to create rogue administrator accounts
- Redirecting site visitors to fraud links
- Complete takeover of the website
Ninja Forms WordPress Plugin Exploit Patch
If you’re a WordPress website owner, and use Ninja Forms plugin in your CMS, then don’t be panicked. Luckily, the Wordfence team had reported the Ninja Forms organization of this critical vulnerability, on the same day when it was identified.
On the very next day, April 28, 2020, the Ninja Forms team rolled out the fixed patch in their latest update.
Vulnerable Version: < 220.127.116.11
Fully Patched Updated Version: 18.104.22.168
So if you are a Ninja Forms WordPress plugin user and haven’t updated to the latest version, it’s high time to do so. Hurry up!