High-severity vulnerabilities patched in the Ninja Forms and LearnPress WordPress plugins could be exploited to take over vulnerable sites, WordPress security company Defiant reports.
With more than 1 million installations, the Ninja Forms plugin allows site admins to create user friendly WordPress forms even without coding skills. Collectively tracked as CVE-2020-12462, the recently addressed vulnerabilities have a CVSS score of 8.8.
The issue was related to a feature that allowed Ninja Forms users to revert the plugin’s styling and features to those of version 2.9.x. Two of the functions that it adds as part of this feature failed to check nonces, and one of them allowed importing forms containing custom HTML.
An attacker able to trick an administrator into clicking a crafted link could spoof requests using the admin’s session and import a form containing malicious code. The attacker could replace any existing form on the site, could have code executed in visitors’ browser or redirect visitors to malicious websites, and could even take over the site by creating rogue admin accounts.
Disclosed on April 27, the vulnerability was addressed the very next day with the release of Ninja Forms 18.104.22.168.
Two high-severity vulnerabilities were identified in the LearnPress plugin, one of them possibly leading to site takeover, Defiant says. Tracked as CVE-2020-11511, the bug has a CVSS score of 8.6.
A comprehensive learning management system (LMS) plugin for WordPress, LearnPress allows users to easily create and sell courses online. The plugin helps create education, online school, and online-course websites with no coding knowledge.
Defiant’s security researchers discovered an issue in plugin functionality where an email is sent to the administrator when a user requests to become an instructor. The function allowed even unauthenticated attackers to send requests and elevate the permissions of a user of their choice.
If they could elevate the permissions of their own user account, the attackers could even access a capability typically reserved to editors and administrators, where they could insert code into any page they created.
A second high-risk flaw in the plugin (CVE-2020-11510, CVSS score 7.1) could be abused to publish or trash any existing post or page, or even remove it from the site, by modifying its status. The attacker could also publish pages with spam links in the titles.
The issues were initially reported on March 16, and a complete patch was released on April 22. Users are advised to update the plugin to version 22.214.171.124 to ensure they are protected.
Recently, LearnPress’ developers also addressed an SQL Injection flaw (CVE-2020-6010) in the plugin, residing in a method that failed to sufficiently sanitize user-supplied data before using it in an SQL query.