Flaw in WordPress Ninja Forms lets attackers steal WordPress submitted data
Take action: Time to patch your WordPress plugins once again. This time it's Ninja Forms. With so many vulnerabilities in WordPress and plugins, one can only feel fortunate that the patching process is quite fast.
Three vulnerabilities are identified in the popular WordPress form-building plugin, Ninja Forms, which could potentially lead to privilege escalation and data theft.
The versions 3.6.25 and older are affected by these vulnerabilities.
These vulnerabilities fixed in version 3.6.26 , released on 4th July 2023.
The vulnerabilities are as follows:
While all the vulnerabilities are rated as high-severity, CVE-2023-38393 poses a significant risk as it targets the required Subscriber role which exists in every deployment of Ninja Forms. Any WordPress site that supports self-registration of user membership and uses Ninja Forms is automatically exploitable since the attackers can just create a credential for themselves and then exfiltrate all data.
To ensure user safety, the public disclosure of these vulnerabilities was delayed by over three weeks, giving Ninja Forms users time to apply the patches before potentially attracting the attention of hackers. Unfortunately, people are lazy.
WordPress.org reveals that only approximately half of all Ninja Forms users have updated to the latest release, leaving around 400,000 sites still susceptible to attacks.