Ninja Forms Shell Upload Vulnerability – Very High Risk

A few times a year we see very bad vulnerabilities come along. This is, unfortunately, one of those times.

Ninja Forms versions 2.9.36 to 2.9.42 contain multiple vulnerabilities. One of the vulnerabilities results in an attacker being able to upload and execute a shell on WordPress sites using Ninja Forms. We have developed a working exploit for internal use at Wordfence. The only information the exploit needs is a URL on the target site that has a form powered by Ninja Forms version 2.9.36 to 2.9.42.

Wordfence Firewall already protects against uploading of malicious PHP files, so you were already protected against this attack while it was still a 0 day. As an additional precaution, this morning we have released three additional rules via the Wordfence Threat Defense Feed which are already active on our Wordfence Premium customer sites.

Ninja Forms has over 500,000 active installs, so the impact of this vulnerability is going to be fairly wide-spread.

We are monitoring attacks in real-time and are not yet seeing this being widely exploited yet. We suspect this is because an exploit has not shown up yet on exploit-db or other public exploit databases (as of 9am Pacific time on May 5th). We expect this to happen within 48 hours and there will almost immediately be widespread attacks that exploit this vulnerability.

It’s not often that attackers are provided with a fresh vulnerability in a popular plugin that lets them drop shells or execute code on a large number of WordPress sites. This only happens a few times a year.

WordPress.org has already released an automated forced plugin update. This happened on May 3rd which was 48 hours ago. We’ve confirmed that this forced update is taking effect on our test sites. This vulnerability will continue to affect sites that have not been updated by their owners and where forced plugin update is disabled or not feasible.

What to Do

  1. Update Ninja Forms immediately to at least version 2.9.45 if you haven’t already.
  2. If you are running the free version of Wordfence you already have fairly good protection against this vulnerability.
  3. If you are running our Premium version, we have already released new rules that give you full protection against this vulnerability even if your site has not been updated yet.
  4. If you aren’t using our firewall but are using a competing product, verify that they protect against this specific exploit. This is a new vulnerability and they may not have added rules to protect against it yet.
  5. If you weren’t using a firewall before you updated you should also verify that your site has not already been compromised. We recommend you install Wordfence and run a scan.

You can find the full disclosure of the vulnerability by James Golovich on pritect.net. This was published yesterday and contains more technical detail of the vulnerability.

You can find Ninja Forms changelog here which will help you keep abreast of any additional security updates they may release in the next few days.

 

Did you enjoy this post? Share it!

Comments

10 Comments
  • James, the original security expert that you mentioned, brought the issue to our attention and we patched within a few days. We've also worked with the plugin team at WordPress.org to push an auto update to the affected versions. Each of those has a .1 update that contains just the security fix.

    As always, make sure that you're running the latest versions of all your WordPress plugins.

    A big shoutout to James Golovich for the responsible disclosure. We take our users' security very seriously, which is why we moved as quickly as possible to correct the issue.

    • Thanks for weighing in Kevin. Yes this seems to have gone about as good as it could have. I was a little startled when our guys demoed a shell upload via this vuln yesterday internally, so I thought we'd get an alert out and we've beefed up our firewall accordingly. We'll keep tracking it via the attack telemetry we get from our customers and if there's a huge outbreak of attacks we'll probably update this post.

      Thanks again.

      Mark.

      • Hey Mark,

        Thanks. If you find anything, feel free to send me an email directly.

        We want to make sure that this is completely taken care of.

        • OK will do. Going to drop you an email now with some data.

  • Thank you for sharing. Going to update my ninja.
    Thanks for the frequent updates.

  • Thanks for the updates. Always very informative but scary as can be :) I've shared your post on my facebook fan page and on twitter. With 500k active installs its an important message to get out. Thanks again.

  • Just installed Ninja Forms on this site this week. Tried to go to the dashboard to update the plugin and discovered that the entire site is down. Cannot login and the site itself will not load. 2 other subdomains on the server are also not working. Could this be caused by the vulnerability in Ninja Forms or could it (hopefully) be a server (Host 9) problem?

  • Thanks boss. :D

  • Hello,

    Your post says: "Update Ninja Forms immediately to at least version 2.9.45 if you haven’t already.", but the changelog says that 2.9.44 contains the fix for the security issue and 2.9.45 contains a fix to some unrelated templating issue.

    • We used the most recent version at the time of publication of this post.