A few times a year we see very bad vulnerabilities come along. This is, unfortunately, one of those times. Ninja Forms versions 2.9.36 to 2.9.42 contain multiple vulnerabilities. One of the vulnerabilities results in an attacker being able to upload and execute a shell on WordPress sites using Ninja Forms. We have developed a working exploit for internal use at Wordfence. The only information the exploit needs is a URL on the target site that has a form powered by Ninja Forms version 2.9.36 to 2.9.42. Wordfence Firewall already protects against uploading of malicious PHP files, so you were already protected against this attack while it was still a 0 day. As an additional precaution, this morning we have released three additional rules via the Wordfence Threat Defense Feed which are already active on our Wordfence Premium customer sites. Ninja Forms has over 500,000 active installs, so the impact of this vulnerability is going to be fairly wide-spread. We are monitoring attacks in real-time and are not yet seeing this being widely exploited yet. We suspect this is because an exploit has not shown up yet on exploit-db or other public exploit databases (as of 9am Pacific time on May 5th).
Share This