Security firm Sucuri has informed me, that the WordPress Ninja Forms plugin has a critical SQL Injection Vulnerability.
Advertising
The vulnerability has been found during regular research audits for the Sucuri Firewall. Sucuri researchers discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites.
The attack vector used to exploit this vulnerability requires the attacker to have an account on the victim's site. It doesn't matter what the account privileges are – for example, a subscriber could exploit this issue. The issue occurs because the plugin doesn't escape parameters provided by its shortcodes before concatenating it to an SQL query.
A malicious individual using this bug could (among other things) leak the site's usernames and hashed passwords. In certain configurations, it can also leak WordPress secret keys. The patched version 2.9.55.2 of Ninja Forms plugin closes the vulnerability. Futher details may be found in Sucuri blog.
