The Wordfence Threat Intelligence team discovered a vulnerability in Ninja Forms, a WordPress plugin with over 1 million installations. This vulnerability could allow an attacker to trick an administrator into importing a contact form containing malicious JavaScript and replace any existing contact form with the malicious version. The plugin was patched less than 24 hours after our initial contact, on April 28, 2020.
Description: Cross-Site Request Forgery
Affected Plugin: Ninja Forms
Affected Versions: < 3.4.24.2
CVE ID: CVE-2020-12462
CVSS Score: 8.8 (High)
Fully Patched Version: 3.4.24.2
The Ninja Forms plugin features a “legacy” mode which allows users to revert its styling and features to those of the plugin’s final 2.9.x version. While all of these functions used capability checks, two of the functions failed to check nonces, which are used to verify that a request was intentionally sent by a legitimate user.
If an attacker was able to trick an administrator into clicking a crafted link, it was possible to replace any existing form on the site with one of these imported forms by setting the formID $_POST parameter to the ID of an existing form.
As is typical with Cross-Site Scripting (XSS) attacks, a malicious script executed in an Administrator’s browser could be used to add new administrative accounts, leading to complete site takeover, while a malicious script executed in a visitor’s browser could be used to redirect that visitor to a malicious site.
Conclusion
This flaw has been fully patched in version 3.4.24.2, and we recommend that all users update to the latest available version immediately. If you know a friend or colleague who is using this plugin, we recommend forwarding this advisory to them as soon as possible to help them secure their site.
