Thursday, 18 August 2016

Vulnerability Alert: SQL Injection Vulnerability in Ninja Forms


Hi ,

We're reaching out to you today to ensure that you are up to date regarding the latest security issues that may be affecting your website. Keeping our community safe and educated is of great importance to us. 

As part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites.

The attack vector used to exploit this vulnerability requires the attacker to have an account on the victim's site. It doesn't matter what the account privileges are – for example, a subscriber could exploit this issue. The issue occurs because the plugin doesn't escape parameters provided by its shortcodes before concatenating it to an SQL query.

A malicious individual using this bug could (among other things) leak the site's usernames and hashed passwords. In certain configurations, it can also leak WordPress secret keys.

Read More About This Vulnerability

Security Risk: Dangerous

Exploitation Level: Easy/Remote

DREAD Score: 6/10

Vulnerability: SQL Injection

Patched Version:

Websites behind the Sucuri Firewall have been protected against this threat
via our Virtual Hardening / Patching technology. 

If you don't have our Website Application Firewall enabled, sign up now below!

This email does not mean you are affected!

Being proactive in the protection of your site is one of the most important aspects of having a solid security posture. Therefore, we feel it's important to research and report on all potential threats as quickly as possible.
- Your Sucuri Security Team