The news is surfacing about the new WordPress Ninja Forms vulnerability. The popular WordPress Ninja Forms has patched two vulnerabilities. It is affecting more than 1 million WordPress installations. This represents another list of REST API which is related to the vulnerability. These are coming under light among various WordPress plugins.
It needs to be reiterated that there is nothing wrong with the WordPress REST API itself. The problems originate from how the WordPress plugins design their way of interaction with the REST API.
The WordPress REST API is a form of interface that lets plugins interact with WordPress core. The REST API allows the plugins, themes, and applications to manipulate the content and creates some indicative functionalities.
This technology further extends to what the WordPress Core can do. The WordPress core receives data from the REST API interface from the plugins to accomplish the new experiences.
Just like any other interest, it allows for the uploading and inputting of the data. It is very important to sanitize the input and who can make the input. It will also help to ensure that the data meets the expectations and follows the design for receiving.
Failure in sanitizing these inputs and restrictions on who can input the data can lead to WordPress Ninja form vulnerability. This is exactly the case here.
Two vulnerabilities were the result of a single REST API validation issue in the Permission Callbacks. However, it is a part of the authentication process which restricts access to REST API Endpoints to the authorized users.
Two vulnerabilities have relation to the permissions callback error in the implementation. There is simply nothing wrong with WordPress REST API. But how the plugin makers are implementing it can lead to many problems. The two vulnerabilities are Sensitive Information Disclosure and Unprotected REST API to Email Injection.
The Sensitive Information Disclosure vulnerability allows the registered users and subscribers to export every form that includes all the confidential information. The Unprotected REST API to Email Injection vulnerability takes place due to a faulty permission callback that fails to check the permission level for the registered attackers.
Security researchers of Wordfence are recommending the use of the WordPress Ninja Forms plugin to update it immediately. This vulnerability is also offering medium-level danger with a score of 6.5 out of 10.
John Mueller explains Big sites and website authority
YouTube launches automated live captions to all channels
Google answers on how product price affect ranking
Explanation on why Search Console and Analytics differ in terms of Discover reporting
Google is rolling out new eco-friendly search filters
WordPress brings out Gutenberg 11.6
Facebook has an explanation for its October outage
Domains2 years ago
8 best domain flipping platforms
Business2 years ago
Wix launches Editor X, website maker for designers and web agencies
News2 years ago
Google Search Rankings showing early signs of an algorithm update
Business1 year ago
8 Best Digital Marketing Books to Read in 2020
Internet Marketing2 years ago
Snapchat’s new ‘Multi-Snap’ feature and New Sticker options seen in testing
Domains2 years ago
Domains with .com extension are going to become expensive soon
Domains1 year ago
Top 10 sites to buy expired domains in 2020
How To's2 years ago
How to submit your website’s sitemap to Google Search Console