Multiple security vulnerabilities have been disclosed in the Ninja Forms plugin for WordPress that could be exploited by threat actors to escalate privileges and steal sensitive data.
The flaws, tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, impact versions 3.6.25 and below, Patchstack said in a report last week. Ninja Forms is installed on over 800,000 sites.
A brief description of each of the vulnerabilities is below -
- CVE-2023-37979 (CVSS score: 7.1) - A POST-based reflected cross-site scripting (XSS) flaw that could allow any unauthenticated user to achieve privilege escalation on a target WordPress site by tricking privileged users to visit a specially crafted website.
- CVE-2023-38386 and CVE-2023-38393 - Broken access control flaws in the form submissions export feature that could enable a bad actor with Subscriber and Contributor roles to export all Ninja Forms submissions on a WordPress site.
Users of the plugin are recommended to update to version 3.6.26 to mitigate potential threats.
The disclosure comes as Patchstack revealed another reflected XSS vulnerability flaw in the Freemius WordPress software development kit (SDK) affecting versions prior to 2.5.10 (CVE-2023-33999) that could be exploited to obtain elevated privileges.
Also discovered by the WordPress security company is a critical bug in the HT Mega plugin (CVE-2023-37999) present in versions 2.2.0 and below that enables any unauthenticated user to escalate their privilege to that of any role on the WordPress site.