We reached away to Ninja Type’s security group in accordance with their Responsible Disclosure Guidelines plus they replied inside a few hrs. The plugin had been patched less than a day after our initial get in touch with, on April 28, 2020.
All Wordfence customers, including both Wordfence Superior and free Wordfence customers, are protected from XSS tries against this vulnerability simply by the Wordfence Firewall’s built-in XSS security.
Affected Plugin: Ninja Forms
Plugin Slug: ninja-forms
Affected Versions: < 22.214.171.124
CVE ID: CVE-2020-12462
CVSS Score: 8.8 (Higher)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Fully Patched Version: 126.96.36.199
The Ninja Forms plugin comes with a “legacy” mode which allows users to revert its styling and features to those of the plugin’s final 2.9.x version. As part of this feature, it adds several AJAX functions which appear to be intended to import forms and fields between the “legacy” mode and the default mode. While most of these functions used capability checks, two of the functions didn’t check nonces, which are accustomed to verify a request was intentionally sent by way of a legitimate user. One function specifically,
ninja_forms_ajax_import_form, allowed importing forms containing custom HTML:
add_action( 'wp_ajax_ninja_forms_ajax_import_form', 'ninja_forms_ajax_import_form' ); function ninja_forms_ajax_import_form() if( ! current_user_can( apply_filters( 'ninja_forms_admin_upgrade_import_form_capabilities', 'manage_options' ) ) ) return; $import = stripslashes( $_POST[ 'import' ] ); $form_id = ( isset( $_POST[ 'formID' ] ) ) ? absint( $_POST[ 'formID' ] ) : ''; WPN_Helper::delete_nf_cache( $form_id ); // Bust the cache. Ninja_Forms()->form()->import_form( $import, TRUE, $form_id, TRUE ); if( isset( $_POST[ 'flagged' ] ) && $_POST[ 'flagged' ] ) $form = Ninja_Forms()->form( $form_id )->get(); $form->update_setting( 'lock', TRUE ); $form->save(); echo json_encode( array( 'export' => WPN_Helper::esc_html($_POST['import']), 'import' => $import ) ); wp_die();
$_POST parameter to the ID of an existing form.
Vulnerability Disclosure Policies are Important
One of the reason why this plugin was patched so quickly was as the plugin’s team maintains a Responsible Security Disclosure Policy, also known as a Vulnerability Disclosure Policy. This allowed us to make contact with them directly with this full disclosure as opposed to spending days searching for or verify the correct contact channel. While we’ve occasionally seen plugins patched in under 24 hours before, responses similar to this are exceptional and indicate a significant dedication to security.
If you are in charge of almost any software products or services, having a Vulnerability Disclosure Policy (VDP) not merely improves your likelihood of being alerted to serious security issues, but additionally lets you set expectations for the response. Most of all, it reduces the chance of vulnerabilities in your products being prematurely or irresponsibly disclosed and attacked by bad actors before there is a possiblity to fix them. Therefore, we strongly suggest implementing a VDP to boost not merely the efficiency of one’s reaction to specific flaws, but additionally the general security of one’s product.
April 27, 2020 19:00 UTC – Our Threat Intelligence Team discovers and analyzes the vulnerability and verifies our existing Firewall Rules provide sufficient protection against XSS.
April 27, 2020 19:24 UTC – We offer full disclosure to the plugin’s developer according to their Responsible Security Disclosure Policy.
April 27, 2020 20:27 UTC – We get a response a patch ought to be available the very next day.
April 28, 2020 19:00 UTC – Patched version of the plugin released.
In today’s post, we detailed a Cross-Site Request Forgery vulnerability in the Ninja Forms WordPress plugin. This flaw has been fully patched in version 188.8.131.52, and we advise that all users update to the most recent available version immediately. Sites running Wordfence Premium, along with sites still utilizing the free version of Wordfence, are protected from Cross-Site Scripting attacks from this vulnerability by the Wordfence firewall’s built-in protection. Once you learn a pal or colleague who’s by using this plugin, we recommend forwarding this advisory in their mind at the earliest opportunity to greatly help them secure their site.
The post High Severity Vulnerability Patched in Ninja Forms appeared first on Wordfence.