Late last week, Ninja Forms users received a forced security update from WordPress.org for a critical PHP Object Injection vulnerability. This particular vulnerability can be exploited remotely without any authentication. It was publicly disclosed last week and patched in the latest version, 3.6.11. Patches were also backported to versions 184.108.40.206, 3.1.10, 3.2.28, 220.127.116.11, 18.104.22.168, and 22.214.171.124.
Wordfence noticed a back-ported security update in the form builder plugin, which has more than a million active installs. Threat analyst Chloe Chamberland explained the vulnerability in an advisory alerting the company’s users:
We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection. This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.
The vulnerability affects Ninja Forms’ “Merge Tags” feature that auto-populates values from Post IDs and usernames, for example. Wordfence threat analyst Ramuel Gall reverse engineered the vulnerability’s patches to create a working proof of concept. He found that it is possible to call various Ninja Forms classes that could be used for a wide range of exploits, including complete site takeover. Chamberland reports there is evidence to suggest the vulnerability is being actively exploited in the wild.
WordPress.org’s forced security updates are a mitigation effort used in rare instances where the vulnerability is particularly severe and affects a large number of users. More than 680,000 sites were updated on June 14. This PHP object injection vulnerability scores 9.8 on the Common Vulnerability Scoring System, but it has not yet been given a CVE ID.
Reviewing previous CVE ID’s for Ninja Forms, this is the most severe vulnerability in the plugin’s history. Ninja Forms’ changelog doesn’t communicate the severity of the threat, categorizing it as a “security enhancement:”
3.6.11 (14 JUNE 2022)
* Apply more strict sanitization to merge tag values
Ninja Forms did not post about the security update on its blog or social media accounts. Wordfence plans to update the text of its advisory as the company learns more about how attackers are exploiting the vulnerability. Ninja Forms users should check their sites to ensure the automatic security update went through. This update comes just one week after Ninja Forms patched a less severe, authenticated stored cross-site scripting (XSS) vulnerability on June 7.
Wordfence’s post left out some important information about this, including that the vulnerability is reported to have been exploited at least as far back as June 9: https://wpscan.com/vulnerability/8843d66b-e895-4336-afda-00b99442cdc1
In reviewing the vulnerability, we found that there is still a vulnerability related to the insecurity that caused the fixed vulnerability in Merge Tags functionality. We contacted the developer about that over the weekend, but we haven’t gotten a response and so far it hasn’t been addressed: https://www.pluginvulnerabilities.com/2022/06/20/ninja-forms-merge-tags-functionality-is-still-vulnerable/
The claimed authenticated stored cross-site scripting (XSS) vulnerability mentioned isn’t really a vulnerability. but to the extent there really was a security issue, we notified the developer about part of that in January and they took until June to address it. There was a real vulnerability fixed in that version: https://www.pluginvulnerabilities.com/2022/05/27/our-proactive-monitoring-caught-a-csrf-php-object-injection-vulnerability-in-1-million-install-wordpress-plugin-ninja-forms/
We contacted the developer about that over the weekend, but we haven’t gotten a response and so far it hasn’t been addressed
Ninja Forms did not post about the security update on its blog or social media accounts
This type of behaviour is inexcusable and very telling. It’s all about trust. Ninja Forms: off you go straight onto the blacklist.
Last time when i intall ninja forums my website got hacked then i have pay 100$ toy hosting for recovery
Your email address will not be published.
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
WordPress Tavern is a website about all things WordPress. We cover news and events, write plugin and theme reviews, and talk about key issues within the WordPress ecosystem…
© All Rights Reserved. Powered by WordPress, hosted by Pressable