Ninja Forms, a WordPress plugin used by more than 1 million sites, contains four critical security vulnerabilities that together make it possible for a remote attacker to take over a WordPress site and create various kinds of problems.
Ninja Forms offers WordPress site designers the ability to create forms using a drag-and-drop capability, with no coding skills required.
The four bugs allow lower-privileged users (even those who have simply registered for a site) to carry out a range of malicious activity. That includes eavesdropping on site email, taking over admin accounts, installing arbitrary add-ons to a target site and redirecting site owners to malicious destinations.
Three of the bugs do require social engineering to be successful.
Bug 1: Authenticated Email Hijacking and Account Takeover with SendWP Plugin
The first bug allows attackers with subscriber-level access or above to abuse SendWP to intercept all mail traffic, including password reset links for administrative accounts, researchers said. SendWP is an email delivery and logging service intended to make mail handling with WordPress simpler.
Attackers with subscriber or above access to a vulnerable WordPress site could establish a SendWP connection with their own SendWP account, so that all mail from the WordPress site would be routed through and logged in the attackers SendWP account.
If exploited, this could ultimately lead to remote code execution and site takeover by using an admin account to modify theme/plugin files or uploading a malicious theme/plugin, according to Wordfence, which said the flaw also carries an estimated CVSS rating of 9.9 out of 10 (CVEs are pending for all bugs).
“At that point they can monitor all data emailed which could range from user personally identifiable information (PII) from form submissions to reports generated on your site,” researchers warned. “Further, an attacker could trigger a password reset for an administrative user account, if they could discover the username for an account.”
Accomplishing this is not that difficult, according to the Wordfence analysis, released on Tuesday.
“In order to provide this functionality, the plugin registers the AJAX action wp_ajax_ninja_forms_sendwp_remote_install,” researchers explained. “This AJAX action is tied to the function wp_ajax_ninja_forms_sendwp_remote_install_handler, that checks to see if the SendWP plugin is installed and activated. If the plugin is not currently installed, then it performs the installation and activation of the SendWP plugin.”
Once the plugin has been installed successfully, the function will return the registration url, along with the client_name, client_secret, register_url and client_url. This is used to show users the sign-up page and easily connect their WordPress instance with SendWP.
“Unfortunately, this AJAX action did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP plugin and retrieve the client_secret key needed to establish the SendWP connection,” according to the analysis.
A potential mitigation to widespread, automated exploitation is the fact that SendWP is a paid add-on, costing $9 per month per site, researchers noted.
Bug 2: Authenticated OAuth Connection Key Disclosure
The second bug carries an estimated CVSS score of 7.7, and is present in the Ninja Forms “Add-on Manager” service, a centralized dashboard that allows users to remotely manage all purchased Ninja Forms add-ons.
According to Wordfence, attackers could establish an OAuth connection for a vulnerable WordPress site with their own account, and be able to install any purchased Add-On plugins on the target site that they choose.
In order to complete the malicious connection, attackers would need to trick the site administrator into clicking a special link to update the client_id parameter in the site database with an altered AJAX action.
“The plugin registers the AJAX action wp_ajax_nf_oauth which is used to retrieve the connection_url that contains the information necessary, like the client_secret, to establish an OAuth connection with the Ninja Forms Add-On Management portal,” according to the analysis. “Unfortunately, there was no capability check on this function.”
That means that low-level users, such as subscribers, were able to trigger the action and retrieve the connection URL needed to establish a connection with the dashboard. Attackers could also retrieve the client_id for an already established OAuth connection, researchers said.
Bug 3: Cross-Site Request Forgery to OAuth Service Disconnection
The third bug exists in the Ninja Forms Add-Ons Manager’s ability to easily disconnect an established OAuth connection with just a few clicks. This bug carries a 6.1 CVSS rating, making it medium-severity.
Attackers could send a request to disconnect the current OAuth connection – Wordfence noted that this “could be a puzzling experience for a site owner.” To do so, they would need to craft a legitimate request, host it externally, and trick an administrator into clicking a link or attachment.
“In order to provide this functionality, the plugin registered an AJAX action wp_ajax_nf_oauth_disconnect tied to the function disconnect(). The disconnect() function would simply disconnect an established connection by deleting the options associated with the connection settings in the database,” according to Wordfence. “Unfortunately, this feature did not have nonce protection.”
Bug 4: Administrator Open Redirect
The final issue is present in the OAuth connection process; it’s considered medium-severity with a CVSS score of 4.8.
To exploit this, an attacker would need to craft a special URL with the redirect parameter set to an arbitrary site, and then socially engineer an administrator into clicking the link. If successful, the administrator could be redirected to an external malicious site which could infect the administrator’s computer with malware.
“The plugin registers an AJAX action, wp_ajax_nf_oauth_connect, that is registered to the function connect() which is used to redirect a site owner back to the WordPress site’s Ninja Forms service page after the user has finished the OAuth connection process,” according to the analysis. “This function uses wp_safe_redirect to redirect site owners back to the admin.php?page=ninja-forms#services page by default.”
However, the issue is that the ‘redirect’ parameter can be swapped out with different values, to instead redirect the site administrator to an arbitrary URL supplied in that parameter.
“There is no protection on the redirection URL validating where the redirect goes, nor was there any protection to prevent an attacker from using the function to redirect a site administrator to a malicious location,” researchers explained. “There was the use of wp_verify_nonce(),however, it was commented out and rendered unusable.”
Saturday Drive, the plugin’s parent company, has patched all of the bugs, fixed in version 126.96.36.199.
WordPress Plugin Security Problems
WordPress plugins continue to present serious vulnerabilities. In January, researchers warned of two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Also in January, developers of a plugin called Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter, used by WordPress websites for building pop-up ads for newsletter subscriptions, issued a patch for a serious flaw. The vulnerability could be exploited by attackers to send out newsletters with custom content, or to delete or import newsletter subscribers.
Is your small- to medium-sized business an easy mark for attackers?
Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.