A popular WordPress forms builder plugin, Ninja Forms, has been found to be vulnerable to multiple high-severity security flaws.
The vulnerabilities could allow an attacker to steal sensitive information, take control of a WordPress site, or even upload malicious files.
The first vulnerability is a reflected cross-site scripting (XSS) flaw. This flaw could allow an attacker to inject malicious code into a Ninja Forms form, which would then be executed by anyone who views the form. The malicious code could steal cookies, session tokens, or other sensitive information.
The second and third vulnerabilities are broken access controls on the form submissions export feature. These vulnerabilities could allow users with lower-level permissions to export all of the Ninja Forms submissions on a WordPress site. This could expose sensitive information, such as user names, email addresses, and contact information.
The vulnerabilities have been assigned the following CVEs:
- CVE-2023-37979: Reflected XSS flaw
- CVE-2023-38393: Broken access control on form submissions export feature (Subscriber+)
- CVE-2023-38386: Broken access control on form submissions export feature (Contributor+)
The vulnerabilities have been fixed in Ninja Forms version 3.6.26. Users are advised to update to the latest version as soon as possible.
