Several security vulnerabilities have been disclosed in the Ninja Forms plugin for WordPress, which could be exploited by threat actors to elevate privileges and steal sensitive data.
Patchstack said in a report last week that the flaws tracked as CVE-2023-37979, CVE-2023-38386 and CVE-2023-38393 affect versions 3.6.25 and below. Ninja Forms is installed on over 800,000 sites.
A brief description of each of the vulnerabilities is given below –
- CVE-2023-37979 (CVSS score: 7.1) – A POST-based reflective cross-site scripting (XSS) flaw that allows any unauthenticated user to visit a specially crafted website by tricking privileged users into WordPress targets, which may allow privilege escalation to be achieved.
- CVE-2023-38386 and CVE-2023-38393 – Broken access control flaws in the form submission export feature that could enable a bad actor with the Subscriber and Contributor roles to export all Ninja Form submissions on a WordPress site.
Users of the plugin are advised to update to version 3.6.26 to mitigate potential threats.
The disclosure comes after Patchstack disclosed another publicized XSS vulnerability in the Freemius WordPress Software Development Kit (SDK) affecting versions prior to 2.5.10 (CVE-2023-33999), which can be exploited to gain elevated privileges.
A critical bug has also been discovered by the WordPress security company in the HT Mega plugin (CVE-2023-37999), present in versions 2.2.0 and below, that allows any unauthenticated user with any role on a WordPress site to Allows to lose privileges.