Home » NinjaForms < 3.0.32 allows injecting arbitrary WordPress shortcodes

NinjaForms < 3.0.32 allows injecting arbitrary WordPress shortcodes

Back in March 2016 Ninja Forms version 3.0 started to roll out, there was an unknown vulnerability at the time that allowed unauthenticated end users to inject arbitrary WordPress shortcodes via form field submissions. The issue was resolved in version 3.0.31.

The default WordPress shortcodes do not provide much further access and accessing the [ninja-forms] shortcode would only allow an attacker to preview un-published forms. While these shortcodes could allow leverage for further attacks by default this is a very minor issue, though if a site has additional plugins installed that provide shortcodes then this vulnerability could be leveraged to execute those.

Timeline

  • 10/27/2016 First contact to vendor regarding issue
  • 10/27/2016 Received vendor support reply saying they will forward on the issue
  • 11/9/2016 Version 3.0.15 released
  • 11/10/2016 Second contact regarding issue
  • 11/21/2016 Version 3.0.16 released
  • 11/22/2016 Third contact regarding issue
  • 12/6/2016 Version 3.0.18 released
  • 2/28/2016 Version 3.0.30 released
  • 3/2/2017 Fourth attempt regarding issue
  • 3/3/2017 Reply from developer saying they see the issue and will be resolved
  • 3/7/2017 Version 3.0.31 released