Flaw in WordPress Ninja Forms lets attackers steal WordPress submitted data

published: July 27, 2023

Take action: Time to patch your WordPress plugins once again. This time it's Ninja Forms. With so many vulnerabilities in WordPress and plugins, one can only feel fortunate that the patching process is quite fast.


Learn More

Three vulnerabilities are identified in the popular WordPress form-building plugin, Ninja Forms, which could potentially lead to privilege escalation and data theft.

The versions 3.6.25 and older are affected by these vulnerabilities.

These vulnerabilities fixed in version 3.6.26 , released on 4th July 2023.

The vulnerabilities are as follows:

  • CVE-2023-37979, involves a POST-based reflected XSS flaw, allowing unauthorized users to exploit it and gain escalated privileges and steal sensitive information from privileged users who visit a malicious webpage.
  • CVE-2023-38393 and CVE-2023-38386, respectively, pertain to broken access control issues within the plugin's form submissions export feature. These issues enable Subscribers and Contributors to export all user-submitted data from the affected WordPress site.

While all the vulnerabilities are rated as high-severity, CVE-2023-38393 poses a significant risk as it targets the required Subscriber role which exists in every deployment of Ninja Forms. Any WordPress site that supports self-registration of user membership and uses Ninja Forms is automatically exploitable since the attackers can just create a credential for themselves and then exfiltrate all data.

To ensure user safety, the public disclosure of these vulnerabilities was delayed by over three weeks, giving Ninja Forms users time to apply the patches before potentially attracting the attention of hackers. Unfortunately, people are lazy.

WordPress.org reveals that only approximately half of all Ninja Forms users have updated to the latest release, leaving around 400,000 sites still susceptible to attacks.

Flaw in WordPress Ninja Forms lets attackers steal WordPress submitted data