CVE-2023-38393 - Missing Authorization in Ninja Forms Plugin (Version n/a through 3.6.25) — How Attackers Exploit It and How to Fix

If you use WordPress to run your website, chances are you rely on plugins to make life easier. One of the most popular is Ninja Forms, allowing you to build contact forms without coding. But what if adding or editing a form could let an attacker gain unauthorized powers over your site? That’s exactly what happened with the CVE-2023-38393 vulnerability.

In this post, you’ll learn what CVE-2023-38393 is, see a simple code scenario, explore how attackers can exploit it, and get straight-to-the-point guidance on staying safe.

What is CVE-2023-38393?

CVE-2023-38393 is a *Missing Authorization* vulnerability found in the Ninja Forms plugin for WordPress. The flaw affects versions from unknown initial release (n/a) up to and including 3.6.25. It lets unauthorized users (even logged-out visitors) trigger functions that are supposed to be reserved for privileged users (like admins).

Ninja Forms official website: https://ninjaforms.com/
WordPress plugin page: https://wordpress.org/plugins/ninja-forms/

References

- NVD: CVE-2023-38393
- Patchstack Advisory

How Did this Happen? (Technical Explainer)

When plugins offer functions via *AJAX*, they have to check that the requesting user is allowed to perform the action. For example, editing forms, deleting data, or exporting info — these should be *admin only*.

But with CVE-2023-38393, developers missed this security check.

The vulnerable code (simplified)

// File: includes/AJAX/some-handler.php
add_action('wp_ajax_nf_some_action', 'nf_some_action_callback');
add_action('wp_ajax_nopriv_nf_some_action', 'nf_some_action_callback');

function nf_some_action_callback() {
    // MISSING authorization check!
    // Should check user capability:
    // if ( ! current_user_can( 'manage_options' ) ) { wp_die( 'Unauthorized' ); }
    
    // Process sensitive action...
}

What is missing?
The code omits a call to current_user_can() or similar, so *anyone*, including unauthenticated visitors, can run nf_some_action_callback.

Exploit Scenario: Exporting Form Submissions Without Permission

Imagine you’re running a business website and use Ninja Forms for customer inquiries. Attackers could export (download) all submissions — names, emails, messages — without even logging in!

Realistic Exploit Example (Request via AJAX)

An attacker inspects Ninja Forms’ AJAX endpoints.

All they need to do is POST a specific request to

https://example.com/wp-admin/admin-ajax.php?action=nf_some_action

And *the action runs* without checking who they are.

Sample cURL exploit

curl -X POST "https://example.com/wp-admin/admin-ajax.php"; \
     -d "action=nf_export_submissions&form_id=1"

If the *vulnerable function* exported submission data, the attacker would see sensitive records in response.

How to Fix CVE-2023-38393

Update NOW!
The Ninja Forms team patched this in version 3.6.26.
If you see a prompt to update Ninja Forms, do so immediately.

Manual Check:

If you’re a developer, add something like this to sensitive callbacks

if ( ! current_user_can( 'manage_options' ) ) {
    wp_send_json_error( 'Unauthorized', 403 );
    exit;
}

Monitor for Exploitation:

References & More Reading

- NVD - CVE-2023-38393
- Patchstack Ninja Forms Advisory
- Ninja Forms Changelog

Takeaways

Missing Authorization is one of the most costly security mistakes in web plugins, especially for WordPress. CVE-2023-38393 reminds us that just because a feature is convenient doesn’t mean it’s safe out-of-the-box.

Timeline

Published on: 06/19/2024 15:15:57 UTC
Last modified on: 07/31/2024 20:00:48 UTC