A Reflected Cross-Site Scripting (XSS) vulnerability has been discovered in the popular Saturday Drive Ninja Forms Contact Form plugin, affecting the past versions up to and including 3.6.25. This vulnerability allows attackers to inject malicious code into the plugin's codebase, potentially compromising the security of both the website running the plugin and its users. With more than one million active installations, this vulnerability poses a significant threat to the WordPress community.

Exploit Details

CVSS Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Plugin: Saturday Drive Ninja Forms Contact Form (<= 3.6.25)
Plugin URL: https://wordpress.org/plugins/ninja-forms/

Vulnerability Type: Unauthenticated Reflected Cross-Site Scripting (XSS)

Authentication: Not required

Remediation: Update to the latest version (3.6.26 or later)

The vulnerability exists in the handling of the nf_popover GET parameter when a user visits a specific URL containing a malicious payload. By exploiting this vulnerability, an attacker can execute arbitrary JavaScript code in the context of the user's browser, potentially stealing sensitive information or taking control of the user's WordPress account.

Proof of Concept (PoC)

To demonstrate the vulnerability, an attacker could craft a malicious URL like the one shown below and trick a user into clicking on it:


When the victim clicks the link, the JavaScript payload will execute in their browser, displaying an alert with the message "XSS." This exploit only serves as a harmless example, but an attacker could craft a more dangerous payload to compromise the user's account or steal their information.

Original References

[1] Official Ninja Forms Security Disclosure - https://ninjaforms.com/docs/ninja-forms-security-disclosure/

[2] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - https://cwe.mitre.org/data/definitions/79.html

Recommendations for Website Administrators

To protect your website and your users, make sure to update the Ninja Forms Contact Form plugin to the latest version (3.6.26 or later) immediately. Update your WordPress version to the latest release and periodically review your installed plugins to ensure they are up-to-date.

For websites that cannot immediately update the plugin, a temporary mitigation can be applied by filtering out potentially malicious content from the nf_popover GET parameter. This solution requires editing the .htaccess file to add the following rule:

RewriteEngine On
RewriteCond %{QUERY_STRING} nf_popover=.*(%3C|%3E|%2f%2A).* [NC]
RewriteRule ^ - [F]

This rule will block any requests containing "<", ">", or "/%" within the nf_popover GET parameter, stopping the XSS attack. However, this is not a permanent solution and should only be used as a last resort if updating the plugin is not possible.

Keep informed about security vulnerabilities in WordPress plugins and themes and apply the updates promptly to keep your website safe from potential attacks.


Published on: 07/27/2023 15:15:00 UTC
Last modified on: 08/04/2023 18:15:00 UTC