April 29

Higher Severity Vulnerability Patched within Ninja Forms

WordPress Vulnerabilities


This post was originally published on this site

On April 27, 2020, the Wordfence Risk Intelligence group discovered a Cross-Site Ask for Forgery(CSRF) vulnerability within Ninja Forms, the WordPress plugin with more than 1 million installations. This vulnerability could enable an attacker to technique an administrator into importing a contact page that contains malicious JavaScript and replace any current contact page with the malicious edition.

We reached away to Ninja Type’s security group in accordance with their Responsible Disclosure Guidelines plus they replied inside a few hrs. The plugin had been patched less than a day after our initial get in touch with, on April 28, 2020.

All Wordfence customers, including both Wordfence Superior and free Wordfence customers, are protected from XSS tries against this vulnerability simply by the Wordfence Firewall’s built-in XSS security.

Explanation: Cross-Site Demand Forgery to Stored Cross-Site Scripting
Affected Plugin: Ninja Forms
Plugin Slug: ninja-forms
Affected Versions: <
CVE ID: CVE-2020-12462
CVSS Score: 8.8 (Higher)
Fully Patched Version:

The Ninja Forms plugin comes with a “legacy” mode which allows users to revert its styling and features to those of the plugin’s final 2.9.x version. As part of this feature, it adds several AJAX functions which appear to be intended to import forms and fields between the “legacy” mode and the default mode. While most of these functions used capability checks, two of the functions didn’t check nonces, which are accustomed to verify a request was intentionally sent by way of a legitimate user. One function specifically, ninja_forms_ajax_import_form, allowed importing forms containing custom HTML:

add_action( 'wp_ajax_ninja_forms_ajax_import_form', 'ninja_forms_ajax_import_form' );
function ninja_forms_ajax_import_form()
   if( ! current_user_can( apply_filters( 'ninja_forms_admin_upgrade_import_form_capabilities', 'manage_options' ) ) ) return;

   $import = stripslashes( $_POST[ 'import' ] );

   $form_id = ( isset( $_POST[ 'formID' ] ) ) ? absint( $_POST[ 'formID' ] ) : '';

   WPN_Helper::delete_nf_cache( $form_id ); // Bust the cache.

   Ninja_Forms()->form()->import_form( $import, TRUE, $form_id, TRUE );

   if( isset( $_POST[ 'flagged' ] ) && $_POST[ 'flagged' ] )
       $form = Ninja_Forms()->form( $form_id )->get();
       $form->update_setting( 'lock', TRUE );

   echo json_encode( array( 'export' => WPN_Helper::esc_html($_POST['import']), 'import' => $import ) );

As such, if an attacker could trick an administrator into clicking a crafted link, they might spoof a request using that administrator’s session and import an application containing malicious JavaScript in to the site. Worse yet, it had been possible to displace any existing form on the website basic imported forms by setting the formID $_POST parameter to the ID of an existing form.

Depending on where in fact the JavaScript was put into the imported form, maybe it’s executed in a victim’s browser every time they visited a full page containing the proper execution, whenever an Administrator visited the plugin’s Import/Export page, or whenever an Administrator attemptedto edit the form’s fields. As is typical with Cross-Site Scripting (XSS) attacks, a malicious script executed within an Administrator’s browser could possibly be used to include new administrative accounts, resulting in complete site takeover, while a malicious script executed in a visitor’s browser could possibly be used to redirect that visitor to a malicious site.

Vulnerability Disclosure Policies are Important

One of the reason why this plugin was patched so quickly was as the plugin’s team maintains a Responsible Security Disclosure Policy, also known as a Vulnerability Disclosure Policy. This allowed us to make contact with them directly with this full disclosure as opposed to spending days searching for or verify the correct contact channel. While we’ve occasionally seen plugins patched in under 24 hours before, responses similar to this are exceptional and indicate a significant dedication to security.

If you are in charge of almost any software products or services, having a Vulnerability Disclosure Policy (VDP) not merely improves your likelihood of being alerted to serious security issues, but additionally lets you set expectations for the response. Most of all, it reduces the chance of vulnerabilities in your products being prematurely or irresponsibly disclosed and attacked by bad actors before there is a possiblity to fix them. Therefore, we strongly suggest implementing a VDP to boost not merely the efficiency of one’s reaction to specific flaws, but additionally the general security of one’s product.


April 27, 2020 19:00 UTC – Our Threat Intelligence Team discovers and analyzes the vulnerability and verifies our existing Firewall Rules provide sufficient protection against XSS.
April 27, 2020 19:24 UTC – We offer full disclosure to the plugin’s developer according to their Responsible Security Disclosure Policy.
April 27, 2020 20:27 UTC – We get a response a patch ought to be available the very next day.
April 28, 2020 19:00 UTC – Patched version of the plugin released.


In today’s post, we detailed a Cross-Site Request Forgery vulnerability in the Ninja Forms WordPress plugin. This flaw has been fully patched in version, and we advise that all users update to the most recent available version immediately. Sites running Wordfence Premium, along with sites still utilizing the free version of Wordfence, are protected from Cross-Site Scripting attacks from this vulnerability by the Wordfence firewall’s built-in protection. Once you learn a pal or colleague who’s by using this plugin, we recommend forwarding this advisory in their mind at the earliest opportunity to greatly help them secure their site.

The post High Severity Vulnerability Patched in Ninja Forms appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

Who Attacked SolarWinds and just why WordPress Users Have to know

Who Attacked SolarWinds and just why WordPress Users Have to know

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

WordPress Hardening: 18 Methods to Harden Security of one’s Website

WordPress Hardening: 18 Methods to Harden Security of one’s Website
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!