Ninja Forms Vulnerable to Arbitrary File Upload and Path Traversal

Article Summary

Ninja Forms, is a WordPress plugin which allows websites to facilitate creating and customizing forms just by dragging and dropping. Moreover, it is currently in use on 1 million+ websites. This data, obviously, hints at the popularity Ninja forms when enjoying when the news of Ninja Forms’ “File upload” extension being vulnerable to arbitrary file upload and path traversal surfaced a day ago. And it was quite a shocker.

Ninja Forms is a WordPress plugin that allows websites to facilitate creating and customizing forms just by dragging and dropping. Moreover, it is currently in use on 1 million+ websites. This data, obviously, hints at the popularity Ninja forms was enjoying when the news of Ninja Forms’ “File upload” extension being vulnerable to arbitrary file upload and path traversal surfaced a day ago. And it was quite a shocker.

This Blog Includes show

The vulnerability was exposed by Onvio information security. It even published the outcomes of the pentesting it did of the plugin in its article – PENTEST REVEALS VULNERABILITIES IN WORDPRESS PLUGIN NINJA FORMS <= 3.0.22.

You can see the details found in the above-mentioned pentesting in the following section.

Vulnerability Details

So, What actually happened is that Onvio while pentesting for one of its clients, found that the ninja forms was allowing path traversal and Arbitrary code execution.

This eventually allowed an unauthenticated attacker to traverse the file system to access important files and execute code via the includes/fields/upload.php (aka upload/submit page) name and tmp_name parameters.

Arbitrary File Upload

The following picture is the request sent to the server:

This is what he received for a response.

Using the tmp_name in the above response, the hacker again made a request to the server with a file name using brackets to skip detection as a malicious attempt.

And, as suspected, the WordPress function sanitize_file_name removes brackets in this case, as it only sanitizes a set of predefined special characters. And the file test.png.doc with info <? php phpinfo(); ?> gets uploaded to test.php, which happens to be a core file.

Path Traversal

The hacker tried to retrieve the wp-config.php file using the following code, which indeed presented the database with sensitive details.

How to be safe?

Well, the vulnerabilities in the Ninja Forms has been mitigated by the launch of version 3.0.33 in place of the vulnerable version 3.0.22. The least you can do now is update your website to this version.

Astra for WordPress

Having a comprehensive Security solution like Astra can protect your WordPress site 24/7 against every kind of hack. Astra’s Firewall actively monitors your traffic to block XSS, CSRF, Bad Bots and 100+ attacks. Most importantly, Astra is highly affordable for even personal blogs on WordPress with prices starting from $19. Specially built for WordPress like CMS(s), Astra can protect you from severe mishaps. Get an Astra demo now!

Tags: WordPress, Wordpress malware cleanup