WordPress plugin exploit puts more than one million sites at risk

The vulnerabilities could lead to a complete site takeover

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Four severe vulnerabilities have been identified in a singleWordPress pluginused by more than one million websites. The bugs were discovered affecting the Ninja Forms plugin, a drag-and-drop form builder, and could be used to take over a WordPress site and redirect administrators to malicious portals.

The first flaw makes it possible to redirect site owners to arbitrary locations, taking advantage of the wp_safe_redirect function. Attackers could craft a link with a redirect parameter that takes the site owner to a malicious URL by indicating that an inquiry into a site’s unusual behavior was taking place. This could be enough to convince the administrator to unwittingly click on the malicious link.

The second vulnerability allows attackers to interceptemail traffic, providing they have subscriber level access or above. The third makes it possible for attackers to access the Ninja Forms central management dashboard by gaining access to theauthenticationkey, while the fourth flaw allows threat actors to disconnect a site’s OAuth Connection, meaning that there would be no way of carrying out access delegation.

Severe vulnerabilities

Severe vulnerabilities

“In today’s post, we detailed four flaws in the Ninja Forms plugin that granted attackers the ability to obtain sensitive information while also allowing them the ability to redirect administrative users,” Chloe Chamberland, a member of the Wordfence Threat Intelligence Team,said. “These flaws have been fully patched in version 3.4.34.1. We recommend that users immediately update to the latest version available, which is version 3.5.0 at the time of this publication.”

The four flaws have been granted different levels of severity, with the most dangerous being given a CVSS score of 9.9. However, given the popularity of the affected plugin, even the least severe threat should be patched as soon as possible.

Ninja Forms released a fix for three of the vulnerabilities on January 25, with the final flaw patched on February 8.

ViaWordfence

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.

Best free and public DNS server of 2024

Zoho turns to Nvidia NeMo to build proprietary LLMs

Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’