October 2, 2023

Researchers have identified multiple vulnerabilities in the Ninja Forms plugin for WordPress that have more than 900,000 active installations, mainly using to create any type of form, including contact forms and payment forms.

The vulnerabilities tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393 can be exploited by threat actors to escalate privileges and steal sensitive data.

The first vulnerability, tracked as CVE-2023-37979, is a POST-based reflected XSS that can be exploited by an unauthenticated user to steal sensitive information and perform privilege escalation on the WordPress site. The attacker can trigger the issue by tricking privileged users into visiting a crafted website.

Advertisements

The second and third vulnerabilities, tracked as CVE-2023-38393 and CVE-2023-38386, are a broken access control on form submissions export feature. Subscriber and Contributor role user can exploit the flaws to export all of the Ninja Forms submissions on a WordPress site.

The vulnerabilities were addressed with the release of version 3.6.26.

Below is the timeline for the above issues:

  • 22 June 2023 – The vulnerability has been identified, and the plugin vendor notified.
  • 04 July 2023 – Ninja Forms version 3.6.26 was published to patch the reported issue.
  • 25 July 2023 – Added the vulnerabilities to the Patchstack vulnerability database.
  • 27 July 2023 – Security advisory article released.
Tags:

Leave a Reply

You may have missed

McLaren Healthcare suffers a Ransomware Incident

October 2, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – September, 2023

October 2, 2023

TheCyberThrone Security Week In Review – September 30, 2023

October 1, 2023

Mozilla fixes CVE-2023-5217 Vulnerability in its Products

September 30, 2023

CISA KEV Update Part III – September 2023

September 30, 2023

Exim Mail Transfer Server Vulnerabilities

September 30, 2023
%d bloggers like this: