Connect with us

Hi, what are you looking for?



Flaws in Ninja Forms, LearnPress Plugins Exposed WordPress Sites to Attacks

High-severity vulnerabilities patched in the Ninja Forms and LearnPress WordPress plugins could be exploited to take over vulnerable sites, WordPress security company Defiant reports.

High-severity vulnerabilities patched in the Ninja Forms and LearnPress WordPress plugins could be exploited to take over vulnerable sites, WordPress security company Defiant reports.

The developers of highly popular Ninja Forms last week addressed Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) vulnerabilities that attackers could chain to trick an admin into importing a contact form containing malicious JavaScript code that would then get executed when certain pages are visited.

With more than 1 million installations, the Ninja Forms plugin allows site admins to create user friendly WordPress forms even without coding skills. Collectively tracked as CVE-2020-12462, the recently addressed vulnerabilities have a CVSS score of 8.8.

The issue was related to a feature that allowed Ninja Forms users to revert the plugin’s styling and features to those of version 2.9.x. Two of the functions that it adds as part of this feature failed to check nonces, and one of them allowed importing forms containing custom HTML.

An attacker able to trick an administrator into clicking a crafted link could spoof requests using the admin’s session and import a form containing malicious code. The attacker could replace any existing form on the site, could have code executed in visitors’ browser or redirect visitors to malicious websites, and could even take over the site by creating rogue admin accounts.

Disclosed on April 27, the vulnerability was addressed the very next day with the release of Ninja Forms

Two high-severity vulnerabilities were identified in the LearnPress plugin, one of them possibly leading to site takeover, Defiant says. Tracked as CVE-2020-11511, the bug has a CVSS score of 8.6.

Advertisement. Scroll to continue reading.

A comprehensive learning management system (LMS) plugin for WordPress, LearnPress allows users to easily create and sell courses online. The plugin helps create education, online school, and online-course websites with no coding knowledge.

Defiant’s security researchers discovered an issue in plugin functionality where an email is sent to the administrator when a user requests to become an instructor. The function allowed even unauthenticated attackers to send requests and elevate the permissions of a user of their choice.

If they could elevate the permissions of their own user account, the attackers could even access a capability typically reserved to editors and administrators, where they could insert code into any page they created.

“With this capability, an attacker could easily insert malicious JavaScript into any posts they created, which could then be used to redirect visitors to malvertising sites or even be used for site takeover if a logged-in administrator viewed one of these posts,” Defiant says.

A second high-risk flaw in the plugin (CVE-2020-11510, CVSS score 7.1) could be abused to publish or trash any existing post or page, or even remove it from the site, by modifying its status. The attacker could also publish pages with spam links in the titles.

The issues were initially reported on March 16, and a complete patch was released on April 22. Users are advised to update the plugin to version to ensure they are protected.

Recently, LearnPress’ developers also addressed an SQL Injection flaw (CVE-2020-6010) in the plugin, residing in a method that failed to sufficiently sanitize user-supplied data before using it in an SQL query.

Related: Code Injection Vulnerability Found in ‘Real-Time Find and Replace’ WordPress Plugin

Related: Unpatched Flaw in Discontinued Plugin Exposes WordPress Sites to Attacks

Related: Critical Flaw in SEO Plugin Exposed Many WordPress Sites to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.