Late last week, Ninja Forms users received a forced security update from WordPress.org for a critical PHP Object Injection vulnerability. This particular vulnerability can be exploited remotely without any authentication. It was publicly disclosed last week and patched in the latest version, 3.6.11. Patches were also backported to versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, and 3.5.8.4.
Wordfence noticed a back-ported security update in the form builder plugin, which has more than a million active installs. Threat analyst Chloe Chamberland explained the vulnerability in an advisory alerting the company’s users:
We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection. This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.
The vulnerability affects Ninja Forms’ “Merge Tags” feature that auto-populates values from Post IDs and usernames, for example. Wordfence threat analyst Ramuel Gall reverse engineered the vulnerability’s patches to create a working proof of concept. He found that it is possible to call various Ninja Forms classes that could be used for a wide range of exploits, including complete site takeover. Chamberland reports there is evidence to suggest the vulnerability is being actively exploited in the wild.
WordPress.org’s forced security updates are a mitigation effort used in rare instances where the vulnerability is particularly severe and affects a large number of users. More than 680,000 sites were updated on June 14. This PHP object injection vulnerability scores 9.8 on the Common Vulnerability Scoring System, but it has not yet been given a CVE ID.
Reviewing previous CVE ID’s for Ninja Forms, this is the most severe vulnerability in the plugin’s history. Ninja Forms’ changelog doesn’t communicate the severity of the threat, categorizing it as a “security enhancement:”
3.6.11 (14 JUNE 2022)
Security Enhancements
* Apply more strict sanitization to merge tag values
Ninja Forms did not post about the security update on its blog or social media accounts. Wordfence plans to update the text of its advisory as the company learns more about how attackers are exploiting the vulnerability. Ninja Forms users should check their sites to ensure the automatic security update went through. This update comes just one week after Ninja Forms patched a less severe, authenticated stored cross-site scripting (XSS) vulnerability on June 7.
Wordfence’s post left out some important information about this, including that the vulnerability is reported to have been exploited at least as far back as June 9: https://wpscan.com/vulnerability/8843d66b-e895-4336-afda-00b99442cdc1
In reviewing the vulnerability, we found that there is still a vulnerability related to the insecurity that caused the fixed vulnerability in Merge Tags functionality. We contacted the developer about that over the weekend, but we haven’t gotten a response and so far it hasn’t been addressed: https://www.pluginvulnerabilities.com/2022/06/20/ninja-forms-merge-tags-functionality-is-still-vulnerable/
The claimed authenticated stored cross-site scripting (XSS) vulnerability mentioned isn’t really a vulnerability. but to the extent there really was a security issue, we notified the developer about part of that in January and they took until June to address it. There was a real vulnerability fixed in that version: https://www.pluginvulnerabilities.com/2022/05/27/our-proactive-monitoring-caught-a-csrf-php-object-injection-vulnerability-in-1-million-install-wordpress-plugin-ninja-forms/