This entry was posted in Vulnerabilities, WordPress Security on May 5, 2016 by Mark Maunder 10 Replies

A few times a year we see very bad vulnerabilities come along. This is, unfortunately, one of those times.

Ninja Forms versions 2.9.36 to 2.9.42 contain multiple vulnerabilities. One of the vulnerabilities results in an attacker being able to upload and execute a shell on WordPress sites using Ninja Forms. We have developed a working exploit for internal use at Wordfence. The only information the exploit needs is a URL on the target site that has a form powered by Ninja Forms version 2.9.36 to 2.9.42.

Wordfence Firewall already protects against uploading of malicious PHP files, so you were already protected against this attack while it was still a 0 day. As an additional precaution, this morning we have released three additional rules via the Wordfence Threat Defense Feed which are already active on our Wordfence Premium customer sites.

Ninja Forms has over 500,000 active installs, so the impact of this vulnerability is going to be fairly wide-spread.

We are monitoring attacks in real-time and are not yet seeing this being widely exploited yet. We suspect this is because an exploit has not shown up yet on exploit-db or other public exploit databases (as of 9am Pacific time on May 5th). We expect this to happen within 48 hours and there will almost immediately be widespread attacks that exploit this vulnerability.

It’s not often that attackers are provided with a fresh vulnerability in a popular plugin that lets them drop shells or execute code on a large number of WordPress sites. This only happens a few times a year.

WordPress.org has already released an automated forced plugin update. This happened on May 3rd which was 48 hours ago. We’ve confirmed that this forced update is taking effect on our test sites. This vulnerability will continue to affect sites that have not been updated by their owners and where forced plugin update is disabled or not feasible.

What to Do

Update Ninja Forms immediately to at least version 2.9.45 if you haven’t already. If you are running the free version of Wordfence you already have fairly good protection against this vulnerability. If you are running our Premium version, we have already released new rules that give you full protection against this vulnerability even if your site has not been updated yet. If you aren’t using our firewall but are using a competing product, verify that they protect against this specific exploit. This is a new vulnerability and they may not have added rules to protect against it yet. If you weren’t using a firewall before you updated you should also verify that your site has not already been compromised. We recommend you install Wordfence and run a scan.

You can find the full disclosure of the vulnerability by James Golovich on pritect.net. This was published yesterday and contains more technical detail of the vulnerability.

You can find Ninja Forms changelog here which will help you keep abreast of any additional security updates they may release in the next few days.