WordPress Plugin Vulnerabilities

Ninja Forms < 3.6.11 - Unauthenticated PHP Object Injection

Description

The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have been exploiting such issue since June 9th, 2022

Proof of Concept

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.6.11

References

URL
https://plugins.trac.wordpress.org/changeset/2742567/ninja-forms
URL
https://ninjaforms.com/blog/security-update-june-2022/

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
9.8 (critical)

Miscellaneous

Verified
Yes
WPVDB ID
8843d66b-e895-4336-afda-00b99442cdc1

Timeline

Publicly Published
2022-06-15 (about 3 years ago)
Added
2022-06-15 (about 3 years ago)
Last Updated
2023-03-29 (about 2 years ago)

Other

Published
Title
Published
2024-11-18
Title
Geolocator <= 1.1 - Unauthenticated PHP Object Injection
Published
2025-08-12
Title
Welcart e-Commerce < 2.11.17 - Authenticated (Editor+) PHP Object Injection
Published
2023-12-28
Title
YITH WooCommerce Product Add-Ons < 4.3.1 - Authenticated(Shop Manager+) PHP Object Injection
Published
2017-03-01
Title
Analytics Stats Counter Statistics - Unauthenticated PHP Object Injection
Published
2024-09-26
Title
Product Enquiry for WooCommerce < 2.2.33.34 - Authenticated (Author+) PHP Object Injection in enquiry_detail.php