Vulnerabilities In Two WordPress Contact Form Plugins Affect +1.1 Million via @sejournal, @martinibuster

Advisories person been issued regarding vulnerabilities discovered successful 2 of the astir fashionable WordPress interaction signifier plugins, perchance affecting implicit 1.1 cardinal installations. Users are advised to update their plugins to the latest versions.

+1 Million WordPress Contact Forms Installations

The affected interaction signifier plugins are Ninja Forms, (with implicit 800,000 installations) and Contact Form Plugin by Fluent Forms (+300,000 installations). The vulnerabilities are not related to each different and originate from abstracted information flaws.

Ninja Forms is affected by a nonaccomplishment to flight a URL which tin pb to a reflected cross-site scripting onslaught (reflected XSS) and the Fluent Forms vulnerability is owed to an insufficient capableness check.

Ninja Forms Reflected Cross-Site Scripting

A a Reflected Cross-Site Scripting vulnerability, which the Ninja Forms plugin is astatine hazard for, tin let an attacker to people an admin level idiosyncratic astatine a website successful bid to summation their associated website privileges. It requires taking an other measurement to instrumentality an admin into clicking a link. This vulnerability is inactive undergoing appraisal and has not been assigned a CVSS menace level score.

Fluent Forms Missing Authorization

The Fluent Forms interaction signifier plugin is missing a capableness cheque which could pb to unauthorized quality to modify an API (an API is simply a span betwixt 2 antithetic bundle that allows them to pass with each other).

This vulnerability requires an attacker to archetypal attain subscriber level authorization, which tin beryllium achieved connected a WordPress sites that has the subscriber registration diagnostic turned connected but is not imaginable for those that don’t. This vulnerability was assigned a mean menace level people of 4.2 (on a standard of 1 – 10).

Wordfence describes this vulnerability:

“The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is susceptible to unauthorized Malichimp API cardinal update owed to an insufficient capableness cheque connected the verifyRequest relation successful each versions up to, and including, 5.1.18.

This makes it imaginable for Form Managers with a Subscriber-level entree and supra to modify the Mailchimp API cardinal utilized for integration. At the aforesaid time, missing Mailchimp API cardinal validation allows the redirect of the integration requests to the attacker-controlled server.”

Recommended Action

Users of some interaction forms are recommended to update to the latest versions of each interaction signifier plugin. The Fluent Forms interaction signifier is presently astatine mentation 5.2.0. The latest mentation of Ninja Forms plugin is 3.8.14.

Read the NVD Advisory for Ninja Forms Contact Form plugin: CVE-2024-7354

Read the NVD advisory for the Fluent Forms interaction form: CVE-2024

Read the Wordfence advisory connected Fluent Forms interaction form:
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.18 – Missing Authorization to Authenticated (Subscriber+) Mailchimp Integration Modification

Featured Image by Shutterstock/Cast Of Thousands

SEJ STAFF Roger Montti Owner - Martinibuster.com astatine Martinibuster.com

I person 25 years hands-on acquisition successful SEO, evolving on with the hunt engines by keeping up with the latest ...