Nasty WordPress plugin vulnerabilities puts over a million sites at risk

WordPress says vulnerabilities have been patched, but users need to update now

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Two vulnerabilities in the popular Ninja FormsWordPress plugincould’ve enabled threat actors to export sensitive information and sendphishingemails from a vulnerable site, report security researchers.

In theirbreakdownof the vulnerability,cybersecurityresearchers fromWordfence, which develops security solutions to protectWordPressinstallations, note that Ninja Forms boasts of an installation base of over one million websites.

The researchers explain that the vulnerabilities existed because the popularform building pluginrelied on an insecure implementation of the mechanism that checks a user’s permissions.

The insecure implementation meant that instead of ensuring a logged-in user had the right permissions to trigger the associated action, the function only checked if the user was in fact logged-in or not, and nothing else.

Who is it?

Who is it?

One of the issues, a bulk submission export vulnerability, could enable any logged-in user, irrespective of their permissions level, to export everything that had ever been submitted to one of the site’s forms.

The other issue enabled any user to send an email from a vulnerable WordPress website to any email address.

“This vulnerability could easily be used to create a phishing campaign that could trick unsuspecting users into performing unwanted actions by abusing the trust in the domain that was used to send the email,” suggests Wordfence, adding that it could also be used to trick the website’s admins as well to facilitate a site takeover campaign.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Wordfence responsibly disclosed the vulnerability to Ninja Forms on August 3, 2021, who acknowledged it immediately and released a patch earlier this month in the form of Ninja Forms v3.5.8.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Quordle today – hints and answers for Saturday, November 9 (game #1020)