VTA-00359 – Multiple WordPress Plugin Vulnerabilities Affected One Million Websites:

SuperPRO’s Recommendations:
1. Update to the latest version available, which is version 3.5.0.
2. Steps to manually update Ninja Forms:
i. Go to your WordPress Dashboard > Plugins and click “Deactivate” on the plugin you would like to update.
ii. After the plugin deactivates, click “Delete.”  You will not lose any Ninja Forms data.
iii. After your plugin has finished deleting, go to Plugins > Add New.
iv. Choose the “Upload” option at the top of the page.
v. Click “Choose File” and navigate to the “zip” file you downloaded from your account on NinjaForms.com
vi. Click “Install Now”
vii. After the installation finishes, click “Activate” and you will be ready to work with the add-on you updated. Repeat this step for each add-on you need to update via this method.

The Story:

A popular WordPress Plugin called Ninja Forms was discovered to have four severe vulnerabilities which could result in the vulnerable site to be taken over. All of the four vulnerabilities are still pending for CVE IDs. The four vulnerabilities are as below:

1. Authenticated SendWP Plugin Installation and Client Secret Key Disclosure
SendWP is a service in the plugin which is used for email delivery and logging service. By abusing the AJAX action on this service, an attacker is able to reroute all the email from the WordPress site to the attackers SendWP account, thus intercept all mail traffic including password reset links for administrative accounts. This could lead to site takeover using the administrator account. This vulnerability has an estimated CVSS rating of 9.9 out of 10.

2. Authenticated OAuth Connection Key Disclosure 
This vulnerability also abuses the AJAX action in the  “Add-on Manager” service. The service is a dashboard which allows users to remotely manage all purchased Ninja Forms add-ons. The AJAX action is abused to retrieve information such as “connection_url” which contains the “client_secret” for the purpose of establishing an OAuth connection with the Ninja Forms Add-On Management portal. Social engineering is also required to exploit this vulnerability. A special link to update the “client_id” parameter in the site database with an altered AJAX action. By performing both actions, the attackers are able to establish an OAuth Connection for a vulnerable WordPress site with their own account. This vulnerability has an estimated CVSS score of 7.7 .

3. Administrator Open Redirect
This vulnerability abuses the redirect function in the AJAX action. The ‘redirect’ parameter can be swapped out with different values, to instead redirect the site administrator to an arbitrary URL supplied in that parameter. The swapped out values are not validated, which means that a specially crafted URL can be sent to the administrator which will be redirected to an external malicious site, thus compromising the administrator’s device. This vulnerability has an estimated CVSS score of 4.8.

4. Cross-Site Request Forgery to OAuth Service Disconnection 
This vulnerability allows for the attacker to disconnect an established OAuth connection. In order to perform this action, the administrator has to click a link or attachment crafted and sent by the attacker. This vulnerability is able to be exploited due to the “disconnect” function in the AJAX action does not have nonce protection. This vulnerability has an estimated CVSS score of 6.1.

Severity:
High

Attack Surfaces:
Web Application

Tactics:
Initial Access

Techniques:
Exploit Public-Facing Application, Phishing

Indicator of Compromise (IOC) Detection:
N/A

References:
1. https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/
2. https://threatpost.com/ninja-forms-wordpress-plugin-hacks/164042/

Contributed by: Riven