CVE-2022-0888: Arbitrary File Upload Vulnerability in Ninja Forms - File Uploads Extension WordPress Plugin

In the world of WordPress, plugins play a vital role in enhancing the functionality of the platform. However, not all plugins are created equal, and some of them may contain vulnerabilities that put your website at risk. One such case is the Ninja Forms - File Uploads Extension WordPress plugin, which has recently been found to be vulnerable to arbitrary file uploads (CVE-2022-0888).

This vulnerability affects versions up to and including 3.3. of the plugin and may allow unauthenticated attackers to upload malicious files to a website, leading to remote code execution. In this post, we will take a closer look at the vulnerability and the steps that can be taken to mitigate the risk.

Exploit Details

The vulnerability behind CVE-2022-0888 is due to insufficient input file type validation in the uploads.php file, specifically in the ~/includes/ajax/controllers/uploads.php directory. By bypassing this file's validation process, it becomes possible for an attacker to upload files with unrestricted extensions.

The vulnerability can be exploited through the following simple steps

1. An attacker can initiate an unauthenticated POST request to the admin-ajax.php endpoint, which processes the file uploads.
2. The attacker can then set the action parameter to upload and the formData parameter to their desired payload.

Here is a code snippet showcasing the vulnerability in the uploads.php file

// ~/includes/ajax/controllers/uploads.php

class NF_FU_AJAX_Controllers_Upload {
    public function __construct() {
        add_action('wp_ajax_nf_fu_upload', array($this, 'upload'));
    }

    public function upload() {
        // Insufficient Validation Logic
        $allowed_mime_types = NF_File_Uploads()->controllers->settings->getAllowedMimeTypes();

        $filename = sanitize_file_name($_FILES['file']['name']);
        $filetype = wp_check_filetype($filename, $allowed_mime_types);

        // Vulnerable Code Allowing Unrestricted Uploads
        if ($filetype['ext'] === false) {
            wp_send_json_error(array('message' => __('Invalid file type', 'ninja-forms-uploads')), 400);
        }

        // Rest of the Code
    }
}

The following resources provide in-depth information about the vulnerability

- CVE Record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0888
- Ninja Forms Security Announcement: https://ninjaforms.com/security-update-cve-2022-0888/

Mitigation Steps

If you are using the Ninja Forms - File Uploads Extension WordPress plugin, it is crucial that you take immediate action to prevent the risk of exploitation. To mitigate the vulnerability, follow these steps:

1. Update the Plugin: Upgrade to the latest version of the Ninja Forms - File Uploads Extension WordPress plugin (version 3.3.1 or higher). This version contains a fix for the vulnerability.
2. Remove Unnecessary Files: Regularly check your website's file system and remove any unnecessary or suspicious files to minimize the risk of remote code execution.
3. Monitor Your Website: Keep an eye on your website's logs for any suspicious activities, such as unauthorized file uploads or login attempts.

Conclusion

The discovery of the CVE-2022-0888 vulnerability in the Ninja Forms - File Uploads Extension WordPress plugin serves as a reminder of the importance of maintaining up-to-date software and monitoring for security issues. By keeping your plugins and WordPress installation updated and taking the necessary precautions to protect your website, you can help ensure the safety of your online presence.

Timeline

Published on: 03/23/2022 20:15:00 UTC
Last modified on: 05/02/2022 19:34:00 UTC