Security Experts:

Connect with us

Hi, what are you looking for?



Flaws in Ninja Forms, LearnPress Plugins Exposed WordPress Sites to Attacks

High-severity vulnerabilities patched in the Ninja Forms and LearnPress WordPress plugins could be exploited to take over vulnerable sites, WordPress security company Defiant reports.

High-severity vulnerabilities patched in the Ninja Forms and LearnPress WordPress plugins could be exploited to take over vulnerable sites, WordPress security company Defiant reports.

The developers of highly popular Ninja Forms last week addressed Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) vulnerabilities that attackers could chain to trick an admin into importing a contact form containing malicious JavaScript code that would then get executed when certain pages are visited.

With more than 1 million installations, the Ninja Forms plugin allows site admins to create user friendly WordPress forms even without coding skills. Collectively tracked as CVE-2020-12462, the recently addressed vulnerabilities have a CVSS score of 8.8.

The issue was related to a feature that allowed Ninja Forms users to revert the plugin’s styling and features to those of version 2.9.x. Two of the functions that it adds as part of this feature failed to check nonces, and one of them allowed importing forms containing custom HTML.

An attacker able to trick an administrator into clicking a crafted link could spoof requests using the admin’s session and import a form containing malicious code. The attacker could replace any existing form on the site, could have code executed in visitors’ browser or redirect visitors to malicious websites, and could even take over the site by creating rogue admin accounts.

Disclosed on April 27, the vulnerability was addressed the very next day with the release of Ninja Forms

Two high-severity vulnerabilities were identified in the LearnPress plugin, one of them possibly leading to site takeover, Defiant says. Tracked as CVE-2020-11511, the bug has a CVSS score of 8.6.

A comprehensive learning management system (LMS) plugin for WordPress, LearnPress allows users to easily create and sell courses online. The plugin helps create education, online school, and online-course websites with no coding knowledge.

Defiant’s security researchers discovered an issue in plugin functionality where an email is sent to the administrator when a user requests to become an instructor. The function allowed even unauthenticated attackers to send requests and elevate the permissions of a user of their choice.

If they could elevate the permissions of their own user account, the attackers could even access a capability typically reserved to editors and administrators, where they could insert code into any page they created.

“With this capability, an attacker could easily insert malicious JavaScript into any posts they created, which could then be used to redirect visitors to malvertising sites or even be used for site takeover if a logged-in administrator viewed one of these posts,” Defiant says.

A second high-risk flaw in the plugin (CVE-2020-11510, CVSS score 7.1) could be abused to publish or trash any existing post or page, or even remove it from the site, by modifying its status. The attacker could also publish pages with spam links in the titles.

The issues were initially reported on March 16, and a complete patch was released on April 22. Users are advised to update the plugin to version to ensure they are protected.

Recently, LearnPress’ developers also addressed an SQL Injection flaw (CVE-2020-6010) in the plugin, residing in a method that failed to sufficiently sanitize user-supplied data before using it in an SQL query.

Related: Code Injection Vulnerability Found in ‘Real-Time Find and Replace’ WordPress Plugin

Related: Unpatched Flaw in Discontinued Plugin Exposes WordPress Sites to Attacks

Related: Critical Flaw in SEO Plugin Exposed Many WordPress Sites to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.