WordPress Ninja Forms Vulnerability Exposes Over a Million Sites

  • Home
  • Blog
  • WordPress Ninja Forms Vulnerability Exposes Over a Million Sites
Wordpress Security

The popular plugin is installed on more than 1 million websites and has four flaws that allow various kinds of serious attacks, including site takeover and email hijacking.

Ninja Forms is one of the most popular intuitive form creation plugins in the WordPress plugin repository. It provides users with the ability to create forms using drag and drop capabilities, making the design process much more simple for WordPress users.

According to cybersecurity researcher Ramuel Gall, the high-severity bug, issued a CVSS score of 8.8, is a Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS) vulnerability in the Ninja Forms “legacy” mode system.

The Four Flaws

  1. The first flaws made it possible for attackers to redirect site administrators to arbitrary locations.
  2. The second flaw made it possible for attackers with subscriber-level access or above to install a plugin that could be used to intercept all mail traffic.
  3. The third flaw made it possible for attackers with subscriber-level access to retrieve the Ninja Form OAuth Connection Key that could be used to establish a connection with the Ninja Forms central management dashboard.
  4. The final flaw made it possible for attackers to disconnect a site’s OAuth Connection if they could trick a site’s administrator into performing an action. These flaws could be used to take over a WordPress site and redirect site owners to malicious sites.

WordPress REST API

The WordPress REST API is an interface that allows plugins to interact with the WordPress core. The REST API allows plugins, themes and other applications to manipulate WordPress content and create interactive functionalities.

The WordPress core receives data through the REST API interface from the plugins in order to accomplish these new experiences.

However, like any other interaction that allows uploading or inputting of data, it is important to “sanitize” what is being input and who is able to make the input, in order to make sure the data is what is expected and designed to receive.

It is important to note, that there is nothing wrong with the WordPress REST API itself. The problems originate in how WordPress plugins design their interactions with the REST API.

How am I affected?

  1. The Sensitive Information Disclosure vulnerability allowed any registered user, even a subscriber, to export every form that had ever been submitted to the website. That includes all confidential information that someone may have submitted.
  2. The Email Injection vulnerability allowed an attacker to use this specific Ninja Forms functionality to blast emails from the vulnerable website to any email address.

This particular vulnerability had the possibility of launching a full site takeover or a phishing campaign against a website’s customers.

3. Phishing and Spearphishing:

The vulnerabilities found could easily be used to create a phishing campaign that could trick unsuspecting users into performing unwanted actions by abusing the trust in the domain that was used to send the email.

In addition, a more targeted spear-phishing attack could be used to fool a site owner into believing that an email was coming from their own site.

This could be used to trick an administrator into entering their password on a fake login page or allow an attacker to take advantage of a second vulnerability requiring social engineering, such as Cross-Site Request Forgery or Cross-Site Scripting, which could be used for site takeover.

How should I protect myself?

According to our experts at Proteqme Security, you should do the following:

  1. Immediately Update your plugin, as the vulnerabilities found were critical.
  2. Make sure you are using a Firewall on your website.
  3. Make sure your input data is throughly sanitized.

This is hard to do if you aren’t working in the industry.

So what can you do? Read Below!

Input Sanitization: The Root of All Web Evil

Insufficient input validation can result in various kinds of code injection including XSS, and in some cases can be used to phish user credentials or spread malware.

No data that comes in from an untrusted source should be trusted.

This would include anything that you did not create yourself. The data may come in as command line parameters, through a query string, through POST data, cookies, HTTP headers, a web service call, an uploaded file, or anything else.
If you did not create it, then it can’t be trusted.

Validate all data to make sure it’s what you expect, and then treat it to make sure it’s safe in the context where it will be used.
Be aware of the different contexts within a web page and keep your users safe.

The Best Way To Protect Yourself

At Proteqme Security, we have created a solution to take care of all the problems outlined above.

Our Solution Eagle Eye WAF is automated, easy to install and completely foolproof.


Our Eagle Eye WAF(Web Application Protector) automatically integrates into your source code and sanitizes ALL input parameters at run time.

What does this mean?

Using Eagle Eye WAF, you can detect and block attacks before they even happen!

No matter what plugin you use, your website will always be safe!

In addition to this, we also protect your website against the OWASP Top 10 Vulnerabilities, provide you with an Entirely Virtualized Security Operations Center and Firewall+Protector, and a lot more!

Read More: About Eagle Eye WAF

What’s included: Packages and Features

Protect Yourself: Eagle Eye WAF

Talk to Our Experts for FREE!

Leave a Reply

Your email address will not be published. Required fields are marked *