High-severity vulnerabilities patched in the Ninja Forms and LearnPress WordPress plugins could be exploited to take over vulnerable sites, WordPress security company Defiant reports.
The developers of highly popular Ninja Forms last week addressed Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) vulnerabilities that attackers could chain to trick an admin into importing a contact form containing malicious JavaScript code that would then get executed when certain pages are visited.
With more than 1 million installations, the Ninja Forms plugin allows site admins to create user friendly WordPress forms even without coding skills. Collectively tracked as CVE-2020-12462, the recently addressed vulnerabilities have a CVSS score of 8.8.
The issue was related to a feature that allowed Ninja Forms users to revert the plugin’s styling and features to those of version 2.9.x. Two of the functions that it adds as part of this feature failed to check nonces, and one of them allowed importing forms containing custom HTML.
An attacker able to trick an administrator into clicking a crafted link could spoof requests using the admin’s session and import a form containing malicious code. The attacker could replace any existing form on the site, could have code executed in visitors’ browser or redirect visitors to malicious websites, and could even take over the site by creating rogue admin accounts.
Disclosed on April 27, the vulnerability was addressed the very next day with the release of Ninja Forms 3.4.24.2.
Two high-severity vulnerabilities were identified in the LearnPress plugin, one of them possibly leading to site takeover, Defiant says. Tracked as CVE-2020-11511, the bug has a CVSS score of 8.6.
A comprehensive learning management system (LMS) plugin for WordPress, LearnPress allows users to easily create and sell courses online. The plugin helps create education, online school, and online-course websites with no coding knowledge.
Defiant’s security researchers discovered an issue in plugin functionality where an email is sent to the administrator when a user requests to become an instructor. The function allowed even unauthenticated attackers to send requests and elevate the permissions of a user of their choice.
If they could elevate the permissions of their own user account, the attackers could even access a capability typically reserved to editors and administrators, where they could insert code into any page they created.
“With this capability, an attacker could easily insert malicious JavaScript into any posts they created, which could then be used to redirect visitors to malvertising sites or even be used for site takeover if a logged-in administrator viewed one of these posts,” Defiant says.
A second high-risk flaw in the plugin (CVE-2020-11510, CVSS score 7.1) could be abused to publish or trash any existing post or page, or even remove it from the site, by modifying its status. The attacker could also publish pages with spam links in the titles.
The issues were initially reported on March 16, and a complete patch was released on April 22. Users are advised to update the plugin to version 3.2.6.9 to ensure they are protected.
Recently, LearnPress’ developers also addressed an SQL Injection flaw (CVE-2020-6010) in the plugin, residing in a method that failed to sufficiently sanitize user-supplied data before using it in an SQL query.
Related: Code Injection Vulnerability Found in ‘Real-Time Find and Replace’ WordPress Plugin
Related: Unpatched Flaw in Discontinued Plugin Exposes WordPress Sites to Attacks
Related: Critical Flaw in SEO Plugin Exposed Many WordPress Sites to Attacks
