Ninja Forms Contact Form Vulnerability – The Drag and Drop Form Builder for WordPress – Cross-Site Request Forgery to Publicly Accessible Form Submission Export – CVE-2024-2113 | WordPress Plugin Vulnerability Report
Plugin Name: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Key Information:
- Software Type: Plugin
- Software Slug: ninja-forms
- Software Status: Active
- Software Author: kstover
- Software Downloads: 43,897,090
- Active Installs: 800,000
- Last Updated: April 1, 2024
- Patched Versions: 3.8.1
- Affected Versions: <= 3.8.0
Vulnerability Details:
- Name: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.8.0
- Title: Cross-Site Request Forgery to Publicly Accessible Form Submission Export
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- CVE: CVE-2024-2113
- CVSS Score: 4.3
- Publicly Published: March 28, 2024
- Researcher: Tobias Weißhaar (kun_19)
- Description: The Ninja Forms plugin, widely used for creating contact forms, is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 3.8.0. The vulnerability arises from inadequate nonce validation, allowing unauthenticated attackers to forge a request that triggers an export of form submissions to a publicly accessible location. This vulnerability requires the attacker to deceive an administrator into clicking a malicious link to execute the exploit.
Summary:
The Ninja Forms Contact Form plugin, an essential tool for countless WordPress sites, has been found to contain a Cross-Site Request Forgery vulnerability in versions up to and including 3.8.0. This security flaw, which could lead to unauthorized data exposure, has been effectively patched in version 3.8.1.
Detailed Overview:
Discovered by security researcher Tobias Weißhaar, this CSRF vulnerability highlights a critical oversight in nonce validation within the plugin's AJAX actions. By exploiting this flaw, attackers could potentially export sensitive form submission data without proper authentication, provided they can manipulate an administrator into interacting with a malicious link. The swift release of a patched version (3.8.1) by the plugin developers mitigates this risk, protecting sites from potential data breaches.
Advice for Users:
- Immediate Action: Users of the Ninja Forms plugin are strongly advised to update to the patched version 3.8.1 immediately to safeguard their websites from potential exploitation.
- Check for Signs of Vulnerability: Site administrators should review their site's access logs and exported files for any unusual activity that may indicate the exploitation of this vulnerability.
- Alternate Plugins: While the vulnerability has been addressed, users may explore alternative form builder plugins as a precautionary measure, especially if they have ongoing concerns about security.
- Stay Updated: Maintaining the latest versions of all WordPress plugins is essential for site security. Users should regularly check for and apply updates to defend against known vulnerabilities.
Conclusion:
The prompt response by the developers of Ninja Forms to patch the CSRF vulnerability underscores the critical importance of maintaining up-to-date software on all WordPress sites. Users are urged to ensure their Ninja Forms plugin is updated to version 3.8.1 or later, reinforcing their site's defenses against this and other potential security threats.