uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,575

Multiple flaws discovered in the Ninja Forms Plugin make 800,000 web

The Ninja Forms WordPress plugin has been found to contain a number of security flaws that could be used by hackers to gain elevated privileges and steal confidential information.

The vulnerabilities affect versions 3.6 and are identified as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393. 25 and under, according to a report from Patchstack published last week. More than 800,000 websites use Ninja Forms.

The vulnerabilities are each briefly described below -.

CVE-2023-37979 (CVSS score: 7.1) – A POST-based reflected cross-site scripting (XSS) vulnerability that could allow any unauthorized user to escalate their privileges on a target WordPress website by tricking authorized users into visiting a specially crafted website.
The form submissions export feature contains broken access control flaws (CVE-2023-38386 and CVE-2023-38393), which could allow a malicious user with the Subscriber and Contributor roles to export every Ninja Forms submission on a WordPress site.
Updates to version 3.6 of the plugin are advised for users. 26 to lessen potential threats.

The disclosure comes shortly after Patchstack identified a flaw affecting versions prior to 2.5 of the Freemius WordPress software development kit (SDK) that causes reflected XSS vulnerabilities. 10 vulnerabilities that could be used to elevate privileges (CVE-2023-33999).

The HT Mega plugin's critical bug (CVE-2023-37999), which is present in versions 2.2, was also found by the WordPress security company. 0 and lower that permits any unauthenticated user to elevate their privilege to that of any role on the WordPress website.

KAMSI_UG

Member

Registered: 2022-12-26

Posts: 2,782

Re: Multiple flaws discovered in the Ninja Forms Plugin make 800,000 web

Thanks mate, I think the rate at which the security levels on many platforms are dropping is very alarming and I think if we don't learn personal security it would be worse.

gap

Member

Registered: 2023-06-14

Posts: 1,925

Re: Multiple flaws discovered in the Ninja Forms Plugin make 800,000 web

The discovery of security vulnerabilities in popular WordPress plugins like Ninja Forms, Freemius SDK, and HT Mega plugin raises serious concerns about the overall security posture of the WordPress ecosystem. While these plugins enhance the functionality of WordPress websites, they also introduce potential entry points for malicious actors to exploit.

Comrade

Member

From: Utopia App Client

Registered: 2022-12-30

Posts: 2,385

Re: Multiple flaws discovered in the Ninja Forms Plugin make 800,000 web

The vulnerabilities identified in Ninja Forms, particularly the reflected cross-site scripting (XSS) flaw (CVE-2023-37979), pose significant risks as they could allow unauthorized users to escalate their privileges and compromise sensitive data. This highlights the importance of timely updates and robust security measures to mitigate such risks.

Europ

Member

Registered: 2023-05-23

Posts: 2,186

Re: Multiple flaws discovered in the Ninja Forms Plugin make 800,000 web

The vulnerabilities identified in Ninja Forms, particularly the reflected cross-site scripting (XSS) flaw (CVE-2023-37979), pose significant risks as they could allow unauthorized users to escalate their privileges and compromise sensitive data. This highlights the importance of timely updates and robust security measures to mitigate such risks.

In other way, However, the responsibility doesn't solely fall on plugin developers; website owners and administrators play a crucial role in maintaining the security of their WordPress installations. Regularly updating plugins to the latest versions, implementing security best practices, and conducting thorough security audits are essential steps to safeguarding against potential threats.

crpuusd

Member

From: Blockchain

Registered: 2022-12-13

Posts: 2,411

Re: Multiple flaws discovered in the Ninja Forms Plugin make 800,000 web

The disclosure of vulnerabilities in other popular plugins like Freemius SDK and HT Mega plugin further underscores the pervasive nature of security risks within the WordPress ecosystem. With millions of websites relying on WordPress and its plugins, the impact of these vulnerabilities can be widespread and severe.