Ninja Forms <= 2.9.42 Multiple Critical Security Vulnerabilities

ninjaforms

Multiple critical security vulnerabilities were discovered in the Ninja Forms plugin for WordPress. If you are using a version less than 2.9.42, update immediately!

Ninja Forms is a very popular WordPress plugin to easily build forms for WordPress.  The WordPress.org repository claims there are 500,000+ active installs and ninjaforms.com claims there have been over 2.38 million downloads of the plugin as of May 4th 2016. The plugin is currently listed as the 35th most popular plugin in the WordPress.org repository.

Multiple critical security vulnerabilities were discovered while doing a cursory investigation before deciding to use a plugin and disclosed to the WP Ninjas team. I did not do a full audit of the code base but I recommended the team do a complete audit before releasing an update. After they were patched, I recommended they contact the WordPress.org plugin security team to get help with forcing an automatic security update.

Vulnerable Versions

Version 2.9.36 to 2.9.42 are vulnerable to all of the following critical security vulnerabilities. The most sever vulnerability allows unrestricted uploading of files which could allow remote code execution on a typical webserver setup. The only condition required on a site to attack it is to already have a form enabled, which if this plugin is installed the chances of a form being in use are very high.

Read more

OptinMonster < 1.1.4.6 allows execution of arbitrary WordPress shortcodes

OptinMonster is a WordPress plugin/service to collect leads from customers visiting a website. The plugin is free to download from wordpress.org and it claims there are 20,000+ active installs. The service does require a membership, so presumably they have contacted all of their customers to tell them to upgrade.

I discovered an issue that allows any non-authenticated user to execute arbitrary WordPress shortcodes. Generally this type of access is only allowed by users with the ability to edit content on a site. Most of the default shortcodes aren’t very exciting and don’t provide much leverage for an attacker, but many third-party plugins expect that anyone who is able to execute shortcodes has sufficient permission that they don’t need to provide any further security.

Read more

Elegant Themes Divi/Divi Builder/Extra/Bloom/Monarch Security Vulnerability

This won’t be a typical full disclosure post. I will release that after sufficient time has passed to allow users to upgrade. The most I will say now is that logged in users had access to more than they should have. If your site does not have additional untrusted users this is not a major issue for you. Though everyone should upgrade immediately.

On 2/10/2016 I discovered a potential security issue with Elegant Themes Divi theme. Since I am not a customer of theirs I had some issues getting in touch with someone to disclose the information to, but after a few emails and a Twitter exchange I was able to convey the information.

In the interim, Elegant Themes had Securi do a complete code analysis to check for further issues and apparently they did not discover anything further than I already had.

On 2/17/2016 Elegant Themes released updated versions and contacted their customer list to tell them to upgrade. I haven’t seen the exact email sent.

I believe a customer of theirs tweeted out about the issue. I was going to wait to post this until Elegant Themes had a chance to do their own release.

I have not seen the updated code, but based on the description received it sounds like the issue should be resolved.

Affected Versions

  • Divi < 2.6.4
  • Diviv (legacy) < 2.3.4
  • Divi Builder < 1.2.4
  • Extra < 1.2.4
  • Bloom < 1.1.1
  • Monarch < 1.2.7