An SQL injection vulnerability has been discovered within Ninja Forms, the most severe of which could allow an attacker to obtain site and user credentials. Ninja Forms is a plugin used to build forms within WordPress sites.
- WordPress sites with Ninja Form versions prior to v18.104.22.168
Ninja Forms has released an update that addresses this vulnerability, the most severe of which could allow for leaked credentials. This vulnerability exist in all version prior to 22.214.171.124.
The attack vector used to exploit this vulnerability requires the attacker to have an account on the victim's site. It does not matter what the account privileges are - for example, a subscriber could exploit this issue. The issue occurs because the plugin does not escape parameters provided by its shortcodes before concatenating it to an SQL query. A malicious individual using this bug could (among other things) to leak the site's usernames and hashed passwords. In certain configurations, it can also leak WordPress secret keys.
- After appropriate testing, upgrade to latest version of Ninja Forms immediately.
- Apply the principle of Least Privilege to all systems and services.
- Verify no unauthorized system modifications have occurred on system before applying patch.
- Limit user account privileges to only those required.
- Ensure all applications/components on your website are up to date with their respective patches.
- Remove the Ninja Forms plugin if you are no longer using it in your website.
#0563c1" face="Calibri" size="3">https://blog.sucuri.net/2016/08/sql-injection-vulnerability-ninja-forms.html