911 Hack Removal

Popular Plugin Ninja Forms Vulnerable to Arbitrary File Upload & Path Traversal

Updated on: March 29, 2020

Popular Plugin Ninja Forms Vulnerable to Arbitrary File Upload & Path Traversal

Article Summary

Ninja Forms, is a WordPress plugin which allows websites to facilitate creating and customizing forms just by dragging and dropping. Moreover, it is currently in use on 1 million+ websites. This data, obviously, hints at the popularity Ninja forms when enjoying when the news of Ninja Forms’ “File upload” extension being vulnerable to arbitrary file upload and path traversal surfaced a day ago. And it was quite a shocker.

Ninja Forms is a WordPress plugin that allows websites to facilitate creating and customizing forms just by dragging and dropping. Moreover, it is currently in use on 1 million+ websites. This data, obviously, hints at the popularity Ninja forms was enjoying when the news of Ninja Forms’ “File upload” extension being vulnerable to arbitrary file upload and path traversal surfaced a day ago. And it was quite a shocker.

Ninja Forms on WordPress

The vulnerability was exposed by Onvio information security. It even published the outcomes of the pentesting it did of the plugin in its article – PENTEST REVEALS VULNERABILITIES IN WORDPRESS PLUGIN NINJA FORMS <= 3.0.22.

You can see the details found in the above-mentioned pentesting in the following section.

Vulnerability Details

So, What actually happened is that Onvio while pentesting for one of its clients, found that the ninja forms was allowing path traversal and Arbitrary code execution.

This eventually allowed an unauthenticated attacker to traverse the file system to access important files and execute code via the includes/fields/upload.php (aka upload/submit page) name and tmp_name parameters.

Arbitrary File Upload

The following picture is the request sent to the server:

This is what he received for a response.

Using the tmp_name in the above response, the hacker again made a request to the server with a file name using brackets to skip detection as a malicious attempt.

And, as suspected, the WordPress function sanitize_file_name removes brackets in this case, as it only sanitizes a set of predefined special characters. And the file test.png.doc with info <? php phpinfo(); ?> gets uploaded to test.php, which happens to be a core file.

Path Traversal

The hacker tried to retrieve the wp-config.php file using the following code, which indeed presented the database with sensitive details.

How to be safe?

Well, the vulnerabilities in the Ninja Forms has been mitigated by the launch of version 3.0.33 in place of the vulnerable version 3.0.22. The least you can do now is update your website to this version.

Astra for WordPress

Having a comprehensive Security solution like Astra can protect your WordPress site 24/7 against every kind of hack. Astra’s Firewall actively monitors your traffic to block XSS, CSRF, Bad Bots and 100+ attacks. Most importantly, Astra is highly affordable for even personal blogs on WordPress with prices starting from $19. Specially built for WordPress like CMS(s), Astra can protect you from severe mishaps. Get an Astra demo now!

Was this post helpful?

Tags: ,

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany