Vulnerabilities Discovered in Two Popular WordPress Contact Form Plugins Impact Over 1.1 Million Installations.
Table of Contents
Vulnerabilities in WordPress Contact Form Plugins
Due to vulnerabilities found in two popular WordPress contact form plugins, security advisories have been released that may impact over 1.1 million websites. Users are strongly encouraged to update their plugins to the latest versions.
Over 1+ Million Installations of Affected WordPress Contact Forms
The plugins in question are Ninja Forms, with over 800,000 installations, and Fluent Forms, with more than 300,000 installations. These vulnerabilities are unrelated and stem from different security issues.
Ninja Forms is compromised by an issue where a URL is not properly escaped, leading to a reflected cross-site scripting (XSS) attack. Meanwhile, Fluent Forms is vulnerable due to an inadequate capability check.
Ninja Forms Reflected Cross-Site Scripting (XSS) Vulnerability
The reflected XSS vulnerability in Ninja Forms could allow an attacker to target a website’s admin user, potentially gaining their site privileges. However, the attacker must first trick the admin into clicking a malicious link. This vulnerability is still being evaluated and has not yet received a CVSS (Common Vulnerability Scoring System) score.
Fluent Forms Insufficient Authorization Check
Fluent Forms’ vulnerability arises from a missing capability check, which might permit unauthorized modifications to an API (a tool that enables different software applications to communicate). This issue requires the attacker to have subscriber-level access, which is possible on sites that allow user registration. For sites without this feature, the vulnerability cannot be exploited. This vulnerability has been given a medium threat level score of 4.2 out of 10.
Also Read: Partial Cash on Delivery (Partial COD): A Smart Payment Method for Your Online Store
Recommended Actions
Users of both plugins should update to the latest versions to ensure security. Fluent Forms is currently at version 5.2.0, while the latest version of Ninja Forms is 3.8.14.