WordPress Ninja Forms Vulnerability exposes millions of sites

The news is surfacing about the new WordPress Ninja Forms vulnerability. The popular WordPress Ninja Forms has patched two vulnerabilities. It is affecting more than 1 million WordPress installations. This represents another list of REST API which is related to the vulnerability. These are coming under light among various WordPress plugins.

It needs to be reiterated that there is nothing wrong with the WordPress REST API itself. The problems originate from how the WordPress plugins design their way of interaction with the REST API.

The WordPress REST API is a form of interface that lets plugins interact with WordPress core. The REST API allows the plugins, themes, and applications to manipulate the content and creates some indicative functionalities.

This technology further extends to what the WordPress Core can do. The WordPress core receives data from the REST API interface from the plugins to accomplish the new experiences.

Just like any other interest, it allows for the uploading and inputting of the data. It is very important to sanitize the input and who can make the input. It will also help to ensure that the data meets the expectations and follows the design for receiving.

Failure in sanitizing these inputs and restrictions on who can input the data can lead to WordPress Ninja form vulnerability. This is exactly the case here.

Two vulnerabilities were the result of a single REST API validation issue in the Permission Callbacks. However, it is a part of the authentication process which restricts access to REST API Endpoints to the authorized users.

Two vulnerabilities have relation to the permissions callback error in the implementation. There is simply nothing wrong with WordPress REST API. But how the plugin makers are implementing it can lead to many problems. The two vulnerabilities are Sensitive Information Disclosure and Unprotected REST API to Email Injection.

The Sensitive Information Disclosure vulnerability allows the registered users and subscribers to export every form that includes all the confidential information. The Unprotected REST API to Email Injection vulnerability takes place due to a faulty permission callback that fails to check the permission level for the registered attackers.

Security researchers of Wordfence are recommending the use of the WordPress Ninja Forms plugin to update it immediately. This vulnerability is also offering medium-level danger with a score of 6.5 out of 10.