In the Ninja Forms WordPress plugin, there exists an SQL Injection Flaw. The vulnerability can be exploited very easily. Once a site gets infected, a hacker can quite easily dump sensitive information in a great deal.
The problem was recently fixed in the version 2.9.55.2 of the plugin while all the earlier versions are vulnerable to the infection.
The flaw was detected for the first time by Sucuri, a globally distributed security company focusing on detecting and remediating compromised sites, on August 11, 2016. As soon as the bug was detected the flaw was removed within 5 hours and 14 minutes by the Ninja Forms team.
An account is needed by the hacker to proceed on a site:
According to the statistics given by the WordPress Plugin Directory, Ninja Forms is a very frequently used plugin developed by WP Ninjas, LLC. The plugin is installed on more than 600,000 websites.
Sucuri reports that the foremost requirement of a hacker is to register an account on the targeted site in order to compromise a site. So such a requirement somewhat decreases the chances of getting hacked but still many websites allow their users to register so that they may post comments on some blog posts.
The WordPress users can create web forms in different sort of configurations by using the Ninja Forms. On sites, this is brought into practice, by a drag-and-drop builder that results in shortcodes which the users can easily embed into the content of their choice. Moreover, for querying diverse details from the contact forms, some short-codes are also provided.
According to the security company, the hacker sends a custom ‘HTTP POST’ request to the site of concern bearing a short-code of the following form:
[ninja_forms_display_sub_number id=”123′ SQL INJECTION OCCURS HERE”]
And thus an SQL injection is triggered as willed by the hacker.
Usernames and Passwords can be pilfered by the hackers:
Once the SQL infection gets triggered, the hackers are then capable of dumping website’s details such as the usernames and hashed passwords, however, at time WordPress secret keys are also dumped.
Hackers who are not quite proficient can easily exploit as the exploitation chain is trivial. However, the Sucuri’s security team detected some improvement of the security model of WordPress. In this regard, Sucuri’s Marc-Alexandre Montpas writes “SQL injections tend to be trickier to find in popular plugins now than they used to be,” and he further added “partly due to the increasing popularity of prepared statements like $wpdb->prepare().”