THE OUTRAGEOUS REALITY ABOUT WORDPRESS PLUGINS
A pair of weaknesses have been discovered in the popular Ninja Forms WordPress plugin, which might have allowed malicious actors to steal private information and send phishing emails from a susceptible site, according to security researchers. Approximately one million copies of Ninja Forms have been downloaded, according to Wordfence, a company that creates security solutions for WordPress installations.
According to the researchers, the problems were caused by the fact that the most popular type construction plugin made use of an unsafe implementation of the permission system in order to function. Any logged-in person who was able to visit a page that contained the vulnerable code was able to fool their way through it and perform whatever action they desired as a result of the defective implementation.
Is it really you?
An exploitable weakness known as a bulk request export flaw allows any logged-in user to download everything that has ever been submitted to one of the site’s forms. Other issues included the ability for any user to send an email from a vulnerable WordPress website to anybody they chose.
According to Wordfence, “this vulnerability might be used to begin a phishing campaign that could lure unwary people into undertaking undesired acts by leveraging their faith in the domain that sent the email.” Furthermore, it could be used to trick website administrators so that they will cooperate with a site takeover operation.
Wordfence responsibly disclosed the vulnerability to Ninja Forms on August 3, 2021, and the company acknowledged it immediately and published a fix in the form of Ninja Forms v3.5.8 last month, which is currently in the public domain.