Thousands of WordPress sites force updated to fix dangerous security flaw

A hugely popular forms builder plugin for the WordPress website builder with more than a million installations is vulnerable to a high-severity flaw that could allow threat actors complete website takeover.

Ninja Forms has recently released a new patch, which when reverse-engineered, included a code injection vulnerability that affected all versions from 3.0 upwards.

According to Wordfence threat intelligence lead Chloe Chamberland, remotely executing code via deserialization allows threat actors to completely take over a vulnerable site.

Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Evidence of abuse

“We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” Chamberland said.

“This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.”

To make things even worse, the flaw was observed being abused in the wild, Wordfence further found.

The patch was force-pushed to the majority of the affected sites, BleepingComputer further found. Looking at the download statistics for the patch, more than 730,000 websites have already been patched. While the number is encouraging, it still leaves hundreds of thousands of vulnerable sites.

Those that use Ninja Forms and haven’t updated it yet, should apply the fix manually, as soon as possible. That can be done from the dashboard, and admins should make sure their plugin is updated to version 3.6.11.

This is not the first time a high-severity flaw was found in Ninja Forms. Roughly two years ago, all versions of the plugin up to 3.4.24.2 were found to have been affected by the Cross-Site Request Forgery (CSRF) vulnerability. This one could have been used to launch Stored Cross-Site Scripting (Stored XSS) attacks on user’s WordPress sites, essentially taking them over.

Via: BleepingComputer