Patch this popular WordPress plugin now to avoid site hijacking
High severity vulnerability in the Ninja Forms plugin could allow attackers to inject malicious JavaScript code
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The developers of the popularWordPress pluginNinja Forms have released a fix for a high severity security vulnerability that could allow attackers to inject malicious code to take over an entire website if left unpatched.
All versions of the plugin up to 3.4.24.2 are affected by the Cross-Site Request Forgery (CSRF) vulnerability that can be used to launch Stored Cross-Site Scripting (Stored XSS) attacks on user’s WordPress sites.
An attacker could exploit the vulnerability in Ninja Forms by tricking a WordPress admin into clicking on specially crafted links which inject malicious JavaScript code as part of a imported contact form.
Ninja Forms is currently installed on over 1m WordPress sites and the form builder plugin allows users to quickly create complex forms through its drag and drop based editor.
CSRF vulnerability
WordFencediscovered and responsibly reported the CSRF vulnerability to the developer of Ninja Forms, Saturday Drive on April 27. The developer quickly released a security fix for the issue with the latest version of its plugin which was released less than a day after WordFence’s initial disclosure report.
In ablog post, QA engineer at WordFence, Ram Gall provided more details on how an attacker could leverage the vulnerability if site owners don’t update the plugin to the latest version, saying:
“An attacker could use this vulnerability to replace a HTML tag like with malicious Javascript. This would cause the malicious code to execute on nearly every page of the affected site, as nearly all pages start with a HTML tag for the page header, creating a significant impact if successfully exploited. The malicious code could be used to inject a new administrative user account, steal session cookies, or redirect users to a malicious site, allowing attackers the ability to obtain administrative access or to infect innocent visitors browsing a compromised site.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
While Ninja Forms has already patched the issue, only 170,000 of the plugin’s 1m users have updated their installations to the latest version during the last week. If your site uses this plugin, it is highly recommended that you update to the latest version now to avoid falling victim to any potential attacks leveraging the CSRF vulnerability.
ViaBleeping Computer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
How to watch Wolf Hall: The Mirror and the Light FREE online from anywhere
