1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Nasty WordPress plugin vulnerabilities puts over a million sites

    From TechnologyDaily@1337:1/100 to All on Thu Sep 23 14:30:03 2021
    Nasty WordPress plugin vulnerabilities puts over a million sites at risk

    Date:
    Thu, 23 Sep 2021 13:08:31 +0000

    Description:
    An improperly implemented security check in the Ninja Forms plugin gave super powers to any logged in user.

    FULL STORY ======================================================================

    Two vulnerabilities in the popular Ninja Forms WordPress plugin couldve enabled threat actors to export sensitive information and send phishing
    emails from a vulnerable site, report security researchers.

    In their breakdown of the vulnerability, cybersecurity researchers from Wordfence , which develops security solutions to protect WordPress installations, note that Ninja Forms boasts of an installation base of over one million websites.

    The researchers explain that the vulnerabilities existed because the popular form building plugin relied on an insecure implementation of the mechanism that checks a users permissions. We've built a list of the best WordPress hosting providers Heres a list of the best Wordpress plugins Create your website using one of these best website builders

    The insecure implementation meant that instead of ensuring a logged-in user had the right permissions to trigger the associated action, the function only checked if the user was in fact logged-in or not, and nothing else. Who is
    it?

    One of the issues, a bulk submission export vulnerability, could enable any logged-in user, irrespective of their permissions level, to export everything that had ever been submitted to one of the sites forms.

    The other issue enabled any user to send an email from a vulnerable WordPress website to any email address.

    This vulnerability could easily be used to create a phishing campaign that could trick unsuspecting users into performing unwanted actions by abusing
    the trust in the domain that was used to send the email, suggests Wordfence, adding that it could also be used to trick the websites admins as well to facilitate a site takeover campaign.

    Wordfence responsibly disclosed the vulnerability to Ninja Forms on August 3, 2021, who acknowledged it immediately and released a patch earlier this month in the form of Ninja Forms v3.5.8. Here are the best web hosting services currently available



    ======================================================================
    Link to news story: https://www.techradar.com/news/nasty-wordpress-plugin-vulnerabilities-puts-ove r-one-million-sites-at-risk/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)