Multiple critical security vulnerabilities were discovered in the Ninja Forms plugin for WordPress. If you are using a version less than 2.9.42, update immediately!
Ninja Forms is a very popular WordPress plugin to easily build forms for WordPress. The WordPress.org repository claims there are 500,000+ active installs and ninjaforms.com claims there have been over 2.38 million downloads of the plugin as of May 4th 2016. The plugin is currently listed as the 35th most popular plugin in the WordPress.org repository.
Multiple critical security vulnerabilities were discovered while doing a cursory investigation before deciding to use a plugin and disclosed to the WP Ninjas team. I did not do a full audit of the code base but I recommended the team do a complete audit before releasing an update. After they were patched, I recommended they contact the WordPress.org plugin security team to get help with forcing an automatic security update.
Version 2.9.36 to 2.9.42 are vulnerable to all of the following critical security vulnerabilities. The most sever vulnerability allows unrestricted uploading of files which could allow remote code execution on a typical webserver setup. The only condition required on a site to attack it is to already have a form enabled, which if this plugin is installed the chances of a form being in use are very high.
If you use WP All Import or WP All Import Pro you should upgrade immediately to fix several severe vulnerabilities! Check out the WP All Import Vendor Announcement.
Monday February 23rd 2015 started off as a normal day. I was looking into an issue someone was having using WP All Import to import some data into a custom post type (CPT).
I’d never used WP All Import before, so I downloaded a copy from wordpress.org and set it up (very easy BTW). Unfortunately, I was blocked because you need a free version to import CPT. I decided to open up the source to look and see how it was actually inserting the CPT data, as long as I could see how it was working I could solve the original issue and go on with my day. After a few minutes looking at the code some familiar patterns jumped out at me and I knew I had to investigate further.
As soon as I realized there was something worth reporting I sent an email to firstname.lastname@example.org requesting a direct contact email for someone. I didn’t want to release information to an address that auto posts to a public tracker, or worse, not read at all.
Later that evening I was contacted directly by Louis Reingold requesting some more information. I provided detailed information about the potential vulnerability and right away he replied saying they would get it fixed asap and alert their customers.
I suspect Max their developer had a late night working on the issues. While I went to bed, I received 2 emails through the night and a bounty via paypal (Thanks! Other vendors take note!)
After a couple of followup emails I received an updated version of the code (the Pro version too! I’ll have to remember to check back into that original issue) and noticed almost everything was fixed but pointed out a bit more that needed fixed.
- WP All Import < 3.2.4
- WP All Import Pro < 4.1.1
After sufficient time has been given for WP All Import users to upgrade I will release more information about these vulnerabilities.
Update: It has been sufficient time, I’ve posted the
WP All Import Vulnerability Breakdown