Critical Ninja Forms Vulnerability Exposes 1+ Million WordPress Sites | CSRF – XSS Attack

Though versatile and easy-to-manage, WordPress and its plugins have a long history of being easy-to-exploit. The recent Wordpress plugin to come under fire is ‘Ninja Forms’.

Ninja Forms is a widely used WordPress form that can be customized using drag and drop functionality. It’s attractive design, easy integration, and multiple features & add-ons make it a popular choice among WordPress website owners. As a result, this plugin remains in-demand and currently has over 1 Million active installations.

But on April 27, 2020,Wordfence, a WordPress security firm, detected an anomaly in the Ninja Forms plugin. The reported bug, CVE-2020-12462, has been issued a high-severity 8.8 CVSS score. It imposes the threat of creating a new administrator account, so the attacker can subsequently take full control of the site. This is hands down the best WordPress hack a hacker can hope for.

WordPress Ninja Forms Exploit Explained: How it Works?

The latest Ninja Forms bug is the hack-child of CSRF (Cross Site Request Forgery) to XSS (Stored Cross Site Scripting) Vulnerability, and takes place in the “legacy” mode of the plugin.

  • What is CSRF?
    CSRF attack works by tricking the end-user/ browser to follow the attacker’s crafted malicious path. Here the attacker gains user’s privileges/ permissions to perform an unwanted activity on victim’s behalf. For example:
  • What is XSS?
    XSS attack works by injecting a malicious code in a vulnerable website. Here the target is a website visitor who’s browser gets infected upon visiting said webpage. For example:

Background - CSRF Vulnerability Found

Let us share some background on what is Legacy Mode in Ninja Forms and how it works? Legacy mode simply allows users to style the forms using previous version (v 2.9.x) features. This transition between the default modes and legacy modes is made possible by Ajax forms. Here the Ninja Forms got defenseless and failed to validate 2 function requests. This is where CSRF vulnerability in Ninja Forms comes into play as these functions should have verified the user’s legitimacy and request permissions. Out of these, one function in particular ‘ninja_forms_ajax_import_form’ lets you import custom HTML forms.

The Action - XSS Vulnerability Exploited

Now, to exploit this bug, the cyberattacker has to merely send a malicious link to the target site administrator; and as soon as he clicks on it, the attacker will be able to trick the system, pretending to be admin, and upload malicious Javascript files & contact forms to replace existing scripts.  

This is a typical XSS attack on Ninja Forms, where the malicious code will get executed in the administrator’s browser, eventually leading to:

  • Ability to create rogue administrator accounts
  • Redirecting site visitors to fraud links
  • Complete takeover of the website  

Ninja Forms WordPress Plugin Exploit Patch

If you’re a WordPress website owner, and use Ninja Forms plugin in your CMS, then don’t be panicked. Luckily, the Wordfence team had reported the Ninja Forms organization of this critical vulnerability, on the same day when it was identified.

On the very next day, April 28, 2020, the Ninja Forms team rolled out the fixed patch in their latest update.

Vulnerable Version: < 3.4.24.2
Fully Patched Updated Version: 3.4.24.2

So if you are a Ninja Forms WordPress plugin user and haven’t updated to the latest version, it’s high time to do so. Hurry up!