SQL Injection Vulnerability in Ninja Forms

Security firm Sucuri has informed me, that the WordPress Ninja Forms plugin has a critical SQL Injection Vulnerability.


Advertising

The vulnerability has been found during regular research audits for the Sucuri Firewall. Sucuri researchers discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites.

The attack vector used to exploit this vulnerability requires the attacker to have an account on the victim's site. It doesn't matter what the account privileges are – for example, a subscriber could exploit this issue. The issue occurs because the plugin doesn't escape parameters provided by its shortcodes before concatenating it to an SQL query.

A malicious individual using this bug could (among other things) leak the site's usernames and hashed passwords. In certain configurations, it can also leak WordPress secret keys. The patched version 2.9.55.2 of Ninja Forms plugin closes the vulnerability. Futher details may be found in Sucuri blog


Advertising

This entry was posted in computer and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).