Vulnerability in Ninja Forms Could Allow For Leaked Credentials

ITS Advisory Number: 
2016-142
Date(s) Issued: 
Monday, August 29, 2016
Subject: 
Vulnerability in Ninja Forms Could Allow For Leaked Credentials
Overview: 

An SQL injection vulnerability has been discovered within Ninja Forms, the most severe of which could allow an attacker to obtain site and user credentials. Ninja Forms is a plugin used to build forms within WordPress sites.

Systems Affected: 
  • WordPress sites with Ninja Form versions prior to v2.9.55.2
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Ninja Forms has released an update that addresses this vulnerability, the most severe of which could allow for leaked credentials. This vulnerability exist in all version prior to 2.9.55.2.

 

The attack vector used to exploit this vulnerability requires the attacker to have an account on the victim's site. It does not matter what the account privileges are - for example, a subscriber could exploit this issue. The issue occurs because the plugin does not escape parameters provided by its shortcodes before concatenating it to an SQL query. A malicious individual using this bug could (among other things) to leak the site's usernames and hashed passwords. In certain configurations, it can also leak WordPress secret keys.

Actions: 
  • After appropriate testing, upgrade to latest version of Ninja Forms immediately.
  • Apply the principle of Least Privilege to all systems and services.
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Limit user account privileges to only those required.
  • Ensure all applications/components on your website are up to date with their respective patches.
  • Remove the Ninja Forms plugin if you are no longer using it in your website.
References: 

Sucuri:

" face="Calibri" size="3">https://blog.sucuri.net/2016/08/sql-injection-vulnerability-ninja-forms.html