Patch this popular WordPress plugin now to avoid site hijacking

(Image credit: Pixabay)

The developers of the popular WordPress plugin Ninja Forms have released a fix for a high severity security vulnerability that could allow attackers to inject malicious code to take over an entire website if left unpatched.

All versions of the plugin up to 3.4.24.2 are affected by the Cross-Site Request Forgery (CSRF) vulnerability that can be used to launch Stored Cross-Site Scripting (Stored XSS) attacks on user's WordPress sites.

An attacker could exploit the vulnerability in Ninja Forms by tricking a WordPress admin into clicking on specially crafted links which inject malicious JavaScript code as part of a imported contact form.

Ninja Forms is currently installed on over 1m WordPress sites and the form builder plugin allows users to quickly create complex forms through its drag and drop based editor.

CSRF vulnerability

WordFence discovered and responsibly reported the CSRF vulnerability to the developer of Ninja Forms, Saturday Drive on April 27. The developer quickly released a security fix for the issue with the latest version of its plugin which was released less than a day after WordFence's initial disclosure report.

In a blog post, QA engineer at WordFence, Ram Gall provided more details on how an attacker could leverage the vulnerability if site owners don't update the plugin to the latest version, saying:

“An attacker could use this vulnerability to replace a HTML tag like <head> with malicious Javascript. This would cause the malicious code to execute on nearly every page of the affected site, as nearly all pages start with a <head> HTML tag for the page header, creating a significant impact if successfully exploited. The malicious code could be used to inject a new administrative user account, steal session cookies, or redirect users to a malicious site, allowing attackers the ability to obtain administrative access or to infect innocent visitors browsing a compromised site.”

While Ninja Forms has already patched the issue, only 170,000 of the plugin's 1m users have updated their installations to the latest version during the last week. If your site uses this plugin, it is highly recommended that you update to the latest version now to avoid falling victim to any potential attacks leveraging the CSRF vulnerability.

Via Bleeping Computer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.