WordPress Plugin Vulnerabilities

Ninja Forms < 3.4.34 - Administrator Open Redirect

Description

The wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.

Proof of Concept

http://mysite.com/wp-admin/admin-ajax.php?client_id=1&redirect=https://google.com&action=nf_oauth_connect

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.4.34

References

CVE
CVE-2021-24165
URL
https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/

Classification

Type
REDIRECT
OWASP top 10
A1: Injection
CWE
CWE-601
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
Yes
WPVDB ID
6147acf5-e43f-47e6-ab56-c9c8be584818

Timeline

Publicly Published
2021-02-16 (about 2 years ago)
Added
2021-02-17 (about 2 years ago)
Last Updated
2021-02-19 (about 2 years ago)

Other

Published
Title
Published
2022-10-17
Title
WP < 6.0.3 - Open Redirect via wp_nonce_ays
Published
2023-01-06
Title
miniOrange WordPress SAML SSO Premium < 12.1.0 - Open Redirect in SSO login
Published
2014-08-01
Title
WP Symposium 13.04 - Unvalidated Redirect
Published
2014-11-26
Title
Ad Manager <= 1.1.2 - Open Redirection
Published
2019-06-01
Title
Paid Memberships Pro <= 2.0.5 - Authenticated Open Redirect