2023-08-01 02:17:06
It has come to light that the Ninja Forms plugin for WordPress has many security flaws that could be abused by malicious actors to gain elevated access and steal sensitive data.
According to a report published by Patchstack a week ago, the vulnerabilities, which are listed as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, affect versions 3.6.25 and earlier. There are now over 800,000 websites using Ninja Forms.
The following is a summary explanation of each of the vulnerabilities:
CVE-2023-37979 is a POST-based cross-site scripting (XSS) problem that has a CVSS score of 7.1. It is a vulnerability that could allow any unauthenticated user to achieve privilege escalation on a target WordPress site by persuading privileged users to visit a website that has been built specifically for that purpose. This can be used by an unauthenticated user to their advantage to steal critical information and in this case escalate their privileges on the WordPress website. The attacker can trigger the vulnerability by tricking privileged users into visiting a specially constructed website.
Failed access control in the form submission export functionality is the source of the second and third vulnerabilities, which are tracked as CVE-2023-38393 y CVE-2023-38386 respectively. Users with the Subscriber and Contributor roles on a WordPress site can exploit vulnerabilities to export all Ninja Forms submissions on the website.
Users of the plugin are strongly recommended to update to version 3.6.26 to protect against potential hazards.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He has also worked for security companies such as Kaspersky Lab. His daily work includes investigating new malware and cybersecurity incidents. He also has a deep level of knowledge in mobile security and mobile vulnerabilities.
Send news tips to [email protected] or www.instagram.com/iicsorg/
You can also find us on Telegram www.t.me/noticiasciberseguridad
#Hack #Wordpress #Websites #Vulnerabilities #Ninja #Forms #Plugin