Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities that were discovered in Ninja Forms, a WordPress plugin installed on over 1,000,000 sites.

These flaws made it possible for an attacker to export sensitive information and send arbitrary emails from a vulnerable site that could be used to phish unsuspecting users.

Ninja Forms is one of the most popular form-building plugins for WordPress websites. One feature the plugin offers is the ability to export all of a site’s form submissions for reviewing and analyzing submission data. Unfortunately, this was insecurely implemented making it possible for any authenticated user to export all of a site’s submission data.

The plugin registered a rest route /ninja-forms-submissions/export which did in fact use a permissions_callback. However, this check did nothing more than validate whether or not a user was logged in through the is_user_logged_in() function. There was no check to verify if a user had the appropriate permissions to execute the function.

Public function permission_callback(WP_REST_Request $request) {
    //Set default to false
    $allowed = false;
    //Check Capability of logged in users
    $allowed = is_user_logged_in();

This meant that any logged-in user could use the /ninja-forms-submissions/export endpoint and export everything that had ever been submitted to one of the site’s forms. Depending on how a site’s forms were configured this data could contain sensitive personally identifiable information (PII) that would provide an attacker with valuable information to conduct other attacks.

In addition to the previous bulk submission export vulnerability, there was another functionality in the plugin that was insecurely implemented using the same vulnerable permissions_callback validation.

New York Times Source Code Stolen Using Exposed GitHub Token

The plugin registered the /ninja-forms-submissions/email-action endpoint which was intended to trigger bulk email actions on form submissions. This functionality was intended to allow site owners to trigger a variety of email actions like sending an email confirmation, or email notification, in bulk in response to user submissions.

Buy Me A Coffee

Unfortunately, due to the fact that this functionality used the same permissions_callback check, any authenticated user could trigger an email action using the REST-API endpoint. To make matters worse, the trigger_email_action function executed by the email-action endpoint crafted the email based on values that could be passed in the request. This made it possible for an attacker to craft a completely unique email, which included the body and subject, and then send it from the vulnerable site to any email address.

public function trigger_email_action(WP_REST_Request $request) {
     //Extract required data
     $data = json_decode($request->get_body());  
     $form = Ninja_Forms()->form( $data->formID );
     $sub = $form->get_sub( $data->submission );
     $field_values = $sub->get_field_values();
     //Throw error if we're missing data
     if( !isset($data) || empty($form) || empty($sub) ) {
         return new WP_Error( 'malformed_request', __('This request is missing data', 'ninja-forms') );
     //Process Merge tags       
     $action_settings = $this->process_merge_tags( $data->action_settings, $data->formID, $sub );
     //Process Email Action
     $email_action = new NF_Actions_Email();
     $result = $email_action->process( (array) $action_settings, $data->formID, (array) $field_values );
     //Return true if wp_mail returned true or the submission ID if it failed.
     $return = !empty($result['actions']['email']['sent']) && true === $result['actions']['email']['sent'] ? $result['actions']['email']['sent'] : $sub->get_seq_num();

This vulnerability could easily be used to create a phishing campaign that could trick unsuspecting users into performing unwanted actions by abusing the trust in the domain that was used to send the email. In addition, a more targeted spear-phishing attack could be used to fool a site owner into believing that an email was coming from their own site.

Chinese Hackers Breach Over 20,000 FortiGate Systems Worldwide in Extensive Cyber Espionage Campaign

This could be used to trick an administrator into entering their password on a fake login page or allow an attacker to take advantage of a second vulnerability requiring social engineering, such as Cross-Site Request Forgery or Cross-Site Scripting, which could be used for site takeover.

The team sent the full disclosure details to Ninja Forms on August 3, 2021, as per the security disclosure policy listed on Ninja Forms website. Ninja Forms quickly acknowledged the report the same day and informed us that they would start working on a patch immediately. A patch was released on September 7, 2021, in version 3.5.8.

We strongly recommend updating immediately to the latest patched version of Ninja Forms to patch these security issues, which is version of Ninja Forms at the time of this publication.