The Nasty Truth about WordPress Plugins

Security researchers have discovered two flaws in the popular Ninja Forms WordPress plugin that could’ve allowed malicious actors to steal sensitive information and send phishing emails from a vulnerable site. According to Wordfence, which develops security solutions to secure WordPress installations, Ninja Forms has over one million installations.

The flaws were due to the fact that the most popular type construction plugin used an insecure implementation of the permission mechanism, according to the researchers. The faulty implementation allowed any logged-in user who could access a page with the vulnerable code on it to fake their way through it and execute whatever action they wanted.

Is it you?

One of the bugs, a bulk request export flaw, may be used by any logged-in user to download everything that has ever been submitted to one of the site’s forms. The other problem permitted any user to send an email from a vulnerable WordPress website to anyone they choose.

“This vulnerability might be used to launch a phishing campaign that may trick unsuspecting people into performing undesired activities by exploiting the trust in the domain that issued the email,” according to Wordfence. It could also be used to deceive website administrators so that they can assist with a site takeover effort.

Wordfence responsibly reported the vulnerability to Ninja Forms on August 3, 2021, who acknowledged it right away and released a fix in the form of Ninja Forms v3.5.8 last month.