uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,007

Multiple flaws discovered in the Ninja Forms Plugin make 800,000 web

The Ninja Forms WordPress plugin has been found to contain a number of security flaws that could be used by hackers to gain elevated privileges and steal confidential information.

The vulnerabilities affect versions 3.6 and are identified as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393. 25 and under, according to a report from Patchstack published last week. More than 800,000 websites use Ninja Forms.

The vulnerabilities are each briefly described below -.

CVE-2023-37979 (CVSS score: 7.1) – A POST-based reflected cross-site scripting (XSS) vulnerability that could allow any unauthorized user to escalate their privileges on a target WordPress website by tricking authorized users into visiting a specially crafted website.
The form submissions export feature contains broken access control flaws (CVE-2023-38386 and CVE-2023-38393), which could allow a malicious user with the Subscriber and Contributor roles to export every Ninja Forms submission on a WordPress site.
Updates to version 3.6 of the plugin are advised for users. 26 to lessen potential threats.

The disclosure comes shortly after Patchstack identified a flaw affecting versions prior to 2.5 of the Freemius WordPress software development kit (SDK) that causes reflected XSS vulnerabilities. 10 vulnerabilities that could be used to elevate privileges (CVE-2023-33999).

The HT Mega plugin's critical bug (CVE-2023-37999), which is present in versions 2.2, was also found by the WordPress security company. 0 and lower that permits any unauthenticated user to elevate their privilege to that of any role on the WordPress website.

KAMSI_UG

Member

Registered: 2022-12-26

Posts: 1,980

Re: Multiple flaws discovered in the Ninja Forms Plugin make 800,000 web

Thanks mate, I think the rate at which the security levels on many platforms are dropping is very alarming and I think if we don't learn personal security it would be worse.