Ninja Forms, a popular plugin active on more than 500K websites, released an update 48 hours ago that addresses a critical security vulnerability. Wordfence is reporting that Ninja Forms versions 2.9.36 to 2.9.42 contain multiple security vulnerabilities.
One of the vulnerabilities allows an attacker to upload and execute code remotely on WordPress sites. The only information needed to exploit the vulnerability is the URL of the target site that’s using a form powered by an affected version of Ninja Forms.
Kevin Stover, CTO of Ninja Forms, explains to the Tavern how they discovered the vulnerabilities:
About two weeks ago, we were contacted by a security researcher, James Golovich, regarding a file upload issue within Ninja Forms. He demonstrated that it was possible to upload an arbitrary file using some test code that hadn’t been removed during our build process.
We realised that the test code had accidentally been utilised in other areas of the plugin, and we immediately began working on a fix. While the issue was being patched, we reached out to the devs at the WordPress.org repo and began the processes of preparing for auto updating users of the affected versions.
Once the patch had been tested, we pushed version 2.9.43 and .1 versions of 2.9.36 – 2.9.42. Shortly after, WordPress.org began pushing out automatic updates.
As to why there wasn’t a post published immediately on the official Ninja Forms blog announcing the update, “We didn’t want to go public with the vulnerability until our users had time to update, both to the newest version and the .1 versions,” Stover said.
“James Golovich’s responsible disclosure gave us time to fix the issue and for our users to update to safe versions before disclosing the vulnerability on his site,” he said. The company has since published a blog post concerning the update.
Working with the WordPress security team, automatic updates started rolling out on Tuesday, May 3rd. If automatic plugin updates are disabled, you’re highly encouraged to update manually to 2.9.45 as soon as possible. The Ninja Forms team is also working with a number of large webhosts to ensure as many sites as possible are updated.
Wordfence is not detecting wide-spread exploitation but this could change in the next few days as details of the exploit emerge.
When it comes to security vulnerabilities, the ability to upload and execute code remotely is about as severe as it gets. Golovich is credited with responsibly disclosing the vulnerability to the Ninja Forms team. He also provides technical details of each vulnerability, most of which are in the Ninja Forms 3.0 code base.
According to Golovich, the most vulnerable code is a proof of concept:
The following vulnerable code was, according to Kyle Johnson of the WP Ninjas team ‘not a live feature of Ninja Forms, but was more of a proof of concept for a future free feature.’ Unfortunately, even proof of concept code that is accessible is still vulnerable to attack. This is the most critical vulnerability here because it potentially allows an attacker to execute arbitrary php code on a site.
Users should update as soon as possible as it’s only a matter of time before tools are created that can easily take advantage of the exploit.