In a recent report, cybersecurity firm Patchstack has disclosed multiple security vulnerabilities in the popular Ninja Forms plugin for WordPress, potentially leaving over 800,000 websites at risk. The flaws affect versions 3.6.25 and below of the plugin and could be exploited by threat actors to escalate privileges and steal sensitive data.
The identified vulnerabilities are as follows:
CVE-2023-37979 (CVSS score: 7.1) – This flaw is a POST-based reflected cross-site scripting (XSS) vulnerability. If exploited, it could allow any unauthenticated user to perform privilege escalation on a targeted WordPress site by deceiving privileged users into visiting a specially crafted website.
CVE-2023-38386 and CVE-2023-38393 – These are broken access control flaws in the form submissions export feature. A malicious actor with Subscriber and Contributor roles could exploit these vulnerabilities to export all Ninja Forms submissions on a WordPress site.
Users of the Ninja Forms plugin are strongly advised to update their installations to version 3.6.26 immediately to safeguard their websites against potential threats.
The security community is increasingly concerned about the prevalence of plugin vulnerabilities that can lead to severe consequences for website owners and users. In light of the recent findings, website administrators are urged to remain vigilant and promptly apply security patches and updates to mitigate the risks posed by potential exploits.
It is crucial to keep all WordPress plugins, themes, and core files up-to-date to ensure a robust security posture and protect against emerging threats. Additionally, website owners are encouraged to leverage security tools and monitoring services to detect and respond to potential attacks in real time.
In the same report, Patchstack also disclosed other vulnerabilities in popular WordPress tools. A reflected XSS flaw was found in the Freemius WordPress software development kit (SDK) affecting versions before 2.5.10 (CVE-2023-33999), which could be exploited to obtain elevated privileges. Furthermore, the HT Mega plugin (CVE-2023-37999), present in versions 2.2.0 and below, was identified to enable any unauthenticated user to escalate their privilege to that of any role on the WordPress site.
Website administrators are advised to review their current plugin set, remove any unnecessary or unused plugins, and prioritize security in their maintenance practices.
As cyber threats continue to evolve, staying informed about vulnerabilities and applying necessary security measures is paramount to safeguarding the integrity and privacy of online assets.