The Wordfence Threat Intelligence Team found a significant, critical vulnerability in the Ninja Forms WordPress plugin.
This is a plugin that’s installed on more than 1 million sites.
As it turns out, it is a severe vulnerability with a CVVS (Common Vulnerability Scoring System) score of 9.8 on the scale.
This means that the vulnerability is quite severe.
What’s Wrong With Ninja Forms?
Normally, Ninja Forms allows site owners to add forms to their sites that are easily customizable.
One of the functionalities of Ninja Forms includes the ability to add “Merge Tags” to forms that auto-populate values from other sections of WordPress.
You can auto-populate things like Post IDs as well as logged in usernames.
However, the main flaw in this functionality allowed attackers to call various Ninja Form classes. These classes can potentially be used for a number of different exploits that target vulnerable WordPress sites.
This Merge Tags functionality does an is_callable() check on Merge Tags that are supplied.
If a callable class along with a method is also supplied as a Merge Tag, this calls the function and code is executed.
Because of the way that the NF_MergeTags_Other class handles these types of tags, the Merge Tags can be provided by users who are unauthenticated.
The Wordfence Security Team determined that doing this caused a critical vulnerability that led to many exploit changes, because of the classes being used, along with the functions that the Ninja Forms plugin contains.
One critical exploit that Wordfence called attention to includes the NF_Admin_Processes_ImportForm class.
This particular exploit allows attackers to achieve what’s called “remote code execution via deserialization.”
Wordfence also noted, however, that another plugin or theme has to be installed that has usable gadgets on the site for this exploit to be effective.
Take Action and Update Your Plugins
If you believe that your site has been compromised because of this vulnerability, it is imperative that you update your plugins as soon as you are able.
There are also other steps you may need to take according to their post.
According to Wordfence, the flaw has been fully patched in the following versions:
- 3.0.34.2,
- 3.1.10,
- 3.2.28,
- 3.3.21.4,
- 3.4.34.2,
- 3.5.8.4,
- 3.6.11
If it has not been done already, Wordfence highly recommends making sure that your site is updated to one of the above patched versions as quickly as possible.