If you use the Ninja Forms plugin and your sites aren’t set to get automatic plugin updates, add a round of updates to your weekend plans. Patchstack is reporting multiple high severity security vulnerabilities in the plugin, including the following:
- a POST-based reflected XSS (7.6 CVSS 3.1 score)
- a broken access control on form submissions export feature that allows Subscriber and Contributor role users to export all of the Ninja Forms submissions on a WordPress site (7.6 CVSS 3.1 score)
Patchstack researchers discovered the vulnerabilities on June 22, 2023, and Ninja Forms patched them on July 4, 2023. The security advisory was publicly released on July 27, 2023.
The plugin’s changelog for version 3.6.26 transparently identifies the security fixes included in the release:
Security Enhancements:
* Prevent unauthorized download of submission
* Prevent scripts in dashboard field labels; responsibly reported by Sayandeep Dutta
* Prevent front-facing label scripts; responsibly reported by Jonathon Zamora & WordPress.org
* Prevent excess extra data through automated form submission
* Prevent override access where not permitted
Ninja Forms is used on more than 800,000 WordPress sites. The majority of the plugin’s users are on version 3.6.x (73.6%) but WordPress.org doesn’t offer a more detailed breakdown of minor versions, so it’s not clear how many are still vulnerable. Ninja Forms users are recommended to patch their sites immediately. At this time, the vulnerabilities are not known to have been exploited.