Affected plugin installed on over 600,000 WP sites

Aug 22, 2016 02:35 GMT  ·  By

An SQL injection vulnerability exists in the Ninja Forms WordPress plugin that is both easy to exploit and allows an attacker to dump quite a lot sensitive information from affected sites.

The vulnerability affects Ninja Forms plugin versions prior to version 2.9.55.2, version where this issue was fixed.

US security firm Sucuri discovered the flaw on August 11, 2016, and the Ninja Forms team fixed the problem on the same day, in 5 hours and 14 minutes after it was reported.

Attackers need an account on the site first

Ninja Forms is a very popular WordPress plugin developed by WP Ninjas, LLC, installed on over 600,000 sites, according to statistics provided by the WordPress Plugin Directory.

According to Sucuri, in order to compromise a website, an attacker first needs to register an account on the targeted site. This requirement reduces the attack surface, but many sites allow users to register to comment on blog posts.

Ninja Forms allows WordPress users to create web forms in various configurations. This is done using a drag-and-drop builder that yields shortcodes which users can embed in their content. Additional shortcodes are also provided for querying various details of the contact form.

Sucuri says that an attacker can send a custom HTTP POST request to the attacked site bearing a shortcode in the form of [ninja_forms_display_sub_number id=”123′ SQL INJECTION OCCURS HERE”] and trigger an SQL injection.

Attackers can pilfer usernames and passwords

The SQL injection allows attackers to dump details such as the site’s usernames and hashed passwords, but sometimes WordPress secret keys.

The exploitation chain is trivial, and even lesser skilled attackers can pull this off. Despite this, the Sucuri team noted a general improvement of the WordPress security model.

"SQL injections tend to be trickier to find in popular plugins now than they used to be," Sucuri's Marc-Alexandre Montpas writes, "partly due to the increasing popularity of prepared statements like $wpdb->prepare()."