Four severe vulnerabilities have been identified in a single WordPress plugin used by more than one million websites. The bugs were discovered affecting the Ninja Forms plugin, a drag-and-drop form builder, and could be used to take over a WordPress site and redirect administrators to malicious portals.
The first flaw makes it possible to redirect site owners to arbitrary locations, taking advantage of the wp_safe_redirect function. Attackers could craft a link with a redirect parameter that takes the site owner to a malicious URL by indicating that an inquiry into a site’s unusual behavior was taking place. This could be enough to convince the administrator to unwittingly click on the malicious link.
The second vulnerability allows attackers to intercept email traffic, providing they have subscriber level access or above. The third makes it possible for attackers to access the Ninja Forms central management dashboard by gaining access to the authentication key, while the fourth flaw allows threat actors to disconnect a site’s OAuth Connection, meaning that there would be no way of carrying out access delegation.
- We've featured the best WordPress hosting providers
- We've put together a list of the best WordPress SEO plugins
- Also, check out our roundup of the best WordPress analytics plugins
“In today’s post, we detailed four flaws in the Ninja Forms plugin that granted attackers the ability to obtain sensitive information while also allowing them the ability to redirect administrative users,” Chloe Chamberland, a member of the Wordfence Threat Intelligence Team, said. “These flaws have been fully patched in version 126.96.36.199. We recommend that users immediately update to the latest version available, which is version 3.5.0 at the time of this publication.”
The four flaws have been granted different levels of severity, with the most dangerous being given a CVSS score of 9.9. However, given the popularity of the affected plugin, even the least severe threat should be patched as soon as possible.
Ninja Forms released a fix for three of the vulnerabilities on January 25, with the final flaw patched on February 8.
- Also, these are the best web hosting providers out there
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services. After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.