Ninja Forms – The Contact Form Builder That Grows With You Vulnerability – Authenticated (Subscriber+) Arbitrary Shortcode Execution – CVE-2024-37934 | WordPress Plugin Vulnerability Report
Plugin name: Ninja Forms – The Contact Form Builder That Grows With You
Key Information:
- Software Type: Plugin
- Software Slug: ninja-forms
- Software Status: Active
- Software Author: kstover
- Software Downloads: 45,866,064
- Active Installs: 800,000
- Last Updated: July 27, 2024
- Patched Versions: 3.8.5
- Affected Versions: <= 3.8.4
Vulnerability Details:
- Name: Ninja Forms <= 3.8.4
- Title: Authenticated (Subscriber+) Arbitrary Shortcode Execution
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- CVE: CVE-2024-37934
- CVSS Score: 4.3
- Publicly Published: July 4, 2024
- Researcher: Rafie Muhammad - Patchstack
- Description: The Ninja Forms plugin for WordPress, known for its user-friendly contact form building capabilities, has a vulnerability in versions up to 3.8.4. The issue arises from improper validation of inputs before executing the
do_shortcode
function, allowing authenticated users with subscriber-level access or higher to execute arbitrary shortcodes. This vulnerability could be exploited to inject malicious content or manipulate the site's functionality.
Summary:
The Ninja Forms plugin for WordPress has a vulnerability in versions up to and including 3.8.4 that allows authenticated attackers with subscriber-level access and above to execute arbitrary shortcodes. This vulnerability has been patched in version 3.8.5.
Detailed Overview:
The vulnerability in the Ninja Forms plugin was discovered by Rafie Muhammad from Patchstack. It involves insufficient input validation before executing the do_shortcode
function, which can be exploited by authenticated users to run arbitrary shortcodes. This can lead to unauthorized content injection or other unintended actions, affecting the integrity and functionality of the website. With a CVSS score of 4.3, the risk level is moderate, highlighting the importance of prompt action to secure affected installations.
Advice for Users:
Immediate Action: Users are strongly encouraged to update to the latest patched version, 3.8.5, to prevent exploitation of this vulnerability. Check for Signs of Vulnerability: Monitor your site's shortcode usage and check for any unusual or unauthorized content, especially if you have users with subscriber-level access. Alternate Plugins: While the patch addresses the current issue, users may consider evaluating other form builder plugins with a focus on security features. Stay Updated: Always keep your plugins updated to the latest versions to avoid vulnerabilities and maintain site security.
Conclusion:
The swift response from the Ninja Forms development team in addressing this vulnerability underscores the importance of keeping plugins up to date. Users are advised to ensure that they are running version 3.8.5 or later to protect their WordPress installations from potential security risks. Staying proactive in managing updates and security practices is essential for maintaining a safe and reliable website.