A critical security flaw in Ninja Forms, a popular WordPress plugin installed on over one million websites, allows attackers to take complete control of affected sites. The vulnerability, tracked as CVE-2023-5825, enables unauthenticated remote code execution (RCE), and administrators are urged to apply security updates immediately.
The flaw is an arbitrary file upload vulnerability affecting Ninja Forms versions up to and including 3.6.11. According to security research firm Patchstack, the plugin's file upload function did not properly validate user permissions or file types. This oversight allows an attacker, without needing any login credentials, to upload malicious files such as a PHP web shell directly to the server. The critical nature of the flaw is reflected in its CVSS score of 9.8 out of 10.
Once a malicious file is on the server, an attacker can execute arbitrary commands. This can lead to a full website compromise, enabling them to steal sensitive data submitted through forms, inject malware to infect visitors, deface the site, or use the server's resources for further attacks. The ease of exploitation makes this a particularly dangerous vulnerability for any site running an unpatched version.
The issue was discovered by Patchstack researcher Rafie Muhammad and reported to the plugin's developer, Saturday Drive. In response, the developer released patched versions 3.6.12 and 3.3.27 to address the vulnerability. All Ninja Forms users should update their plugin from the WordPress dashboard immediately to secure their sites. Administrators can also review their server logs and the `/wp-content/uploads/ninjaforms/tmp/` directory for any suspicious or unexpected files.
