Critical vulnerability in Ninja Forms exposes over a million WordPress sites

April 9, 20262 min read2 sources
Share:
Critical vulnerability in Ninja Forms exposes over a million WordPress sites

A critical security flaw in Ninja Forms, a popular WordPress plugin installed on over one million websites, allows attackers to take complete control of affected sites. The vulnerability, tracked as CVE-2023-5825, enables unauthenticated remote code execution (RCE), and administrators are urged to apply security updates immediately.

The flaw is an arbitrary file upload vulnerability affecting Ninja Forms versions up to and including 3.6.11. According to security research firm Patchstack, the plugin's file upload function did not properly validate user permissions or file types. This oversight allows an attacker, without needing any login credentials, to upload malicious files such as a PHP web shell directly to the server. The critical nature of the flaw is reflected in its CVSS score of 9.8 out of 10.

Once a malicious file is on the server, an attacker can execute arbitrary commands. This can lead to a full website compromise, enabling them to steal sensitive data submitted through forms, inject malware to infect visitors, deface the site, or use the server's resources for further attacks. The ease of exploitation makes this a particularly dangerous vulnerability for any site running an unpatched version.

The issue was discovered by Patchstack researcher Rafie Muhammad and reported to the plugin's developer, Saturday Drive. In response, the developer released patched versions 3.6.12 and 3.3.27 to address the vulnerability. All Ninja Forms users should update their plugin from the WordPress dashboard immediately to secure their sites. Administrators can also review their server logs and the `/wp-content/uploads/ninjaforms/tmp/` directory for any suspicious or unexpected files.

Share:

// SOURCES

// RELATED

Meta settles bellwether lawsuit alleging addictive design harmed student mental health

Meta's confidential settlement with a Washington school district marks a pivotal moment in the massive litigation against social media's psychological

6 min readMay 24

Huawei zero-day attack behind last year’s crash of Luxembourg's entire telecoms network

A sophisticated zero-day attack on Huawei routers allegedly caused Luxembourg's 2023 national telecom outage, raising severe global security concerns.

6 min readMay 23

MiniPlasma Windows 0-day enables SYSTEM privilege escalation on fully patched systems

A newly disclosed 0-day flaw, MiniPlasma, allows attackers to gain full SYSTEM control on patched Windows systems, with a public PoC accelerating risk

6 min readMay 18

The ransomware dilemma: why more than half of security chiefs would pay the price

A new survey reveals 56% of CISOs would consider paying a ransom, highlighting the intense pressure to restore operations despite official guidance.

6 min readMay 16