Skip to main content

WordPress plugin exploit puts more than one million sites at risk

WordPress logo
(Image credit: Pixabay)

Four severe vulnerabilities have been identified in a single WordPress plugin used by more than one million websites. The bugs were discovered affecting the Ninja Forms plugin, a drag-and-drop form builder, and could be used to take over a WordPress site and redirect administrators to malicious portals.

The first flaw makes it possible to redirect site owners to arbitrary locations, taking advantage of the wp_safe_redirect function. Attackers could craft a link with a redirect parameter that takes the site owner to a malicious URL by indicating that an inquiry into a site’s unusual behavior was taking place. This could be enough to convince the administrator to unwittingly click on the malicious link.

The second vulnerability allows attackers to intercept email traffic, providing they have subscriber level access or above. The third makes it possible for attackers to access the Ninja Forms central management dashboard by gaining access to the authentication key, while the fourth flaw allows threat actors to disconnect a site’s OAuth Connection, meaning that there would be no way of carrying out access delegation.

Severe vulnerabilities

“In today’s post, we detailed four flaws in the Ninja Forms plugin that granted attackers the ability to obtain sensitive information while also allowing them the ability to redirect administrative users,” Chloe Chamberland, a member of the Wordfence Threat Intelligence Team, said. “These flaws have been fully patched in version 3.4.34.1. We recommend that users immediately update to the latest version available, which is version 3.5.0 at the time of this publication.”

The four flaws have been granted different levels of severity, with the most dangerous being given a CVSS score of 9.9. However, given the popularity of the affected plugin, even the least severe threat should be patched as soon as possible.

Ninja Forms released a fix for three of the vulnerabilities on January 25, with the final flaw patched on February 8.

Via Wordfence