Multiple Authenticated Stored XSS in NinjaForms Settings Page (Version 3.4.22 )

Authenticated Stored XSS in NinjaForms Settings Page (Version 3.4.22 )


 

Background

A consultant at Spider Sec Ltd identified a critical vulnerability within the popular Ninja Forms WordPress plugin, specifically an Authenticated Stored Cross-Site Scripting (XSS) flaw. This vulnerability could potentially allow attackers to hijack administrative cookies, leading to unauthorized access to the WordPress admin panel. The risk is heightened when this vulnerability is exploited in conjunction with a phishing campaign, making it a serious concern for website administrators.


 

Technical Details

The vulnerability lies in several parameters within the administrative section of the Ninja Forms WordPress plugin. The affected parameters include:

 

  • ninja_forms[date_format]=
  • ninja_forms[recaptcha_site_key]=
  • ninja_forms[recaptcha_lang]=

These parameters are vulnerable to Stored XSS, allowing an attacker to inject malicious scripts that are then stored on the server and executed whenever an administrator accesses the affected pages. The following payload was successfully used to exploit this vulnerability:

m/d/Yufyiy' onfocus=alert(document.cookie) autofocus= etyeqchypbw
bybcn'%20onfocus%3dalert(document.cookie)%20autofocus%3d%20jel7pcgk34v

How an Attacker Could Exploit This Vulnerability

While the vulnerability is serious, exploiting it requires a combination of technical skill and social engineering. Here’s a step-by-step overview of how an attacker could use this vulnerability to compromise an administrative panel:

Craft a Malicious Button: The attacker would first create a button that submits the vulnerable POST request to the victim’s WordPress admin panel. The button could be hosted on an attacker-controlled site. Below is an example of how the HTML form might look:


<form action="http://VictimsURL/wp-admin/admin.php?page=nf-settings" method="POST">
--snip--
<input name="ninja_forms[date_format]" type="hidden" value="zm/d/Yufyiy' onfocus=alert(document.cookie) autofocus= etyeqchypbw" />
--snip--
<input type="submit" value="Submit request" />
</form>

Deploy a Phishing Campaign: The attacker then needs to persuade the target (usually an admin) to click on the malicious button. This can be done through a carefully crafted phishing email or by embedding the button within a seemingly innocent webpage. The attacker might even employ clickjacking techniques, where the button is hidden behind legitimate content, tricking the user into clicking it.

Execution of the Payload: Once the administrator clicks the button, the malicious payload is submitted to the Ninja Forms settings page, where it is stored. The next time the administrator accesses the settings page, the injected script is executed.

In this scenario, the script is designed to trigger a JavaScript alert displaying the admin’s cookies:

With access to these cookies, an attacker could potentially hijack the admin session, gaining unauthorized access to the WordPress site.

Mitigation and Recommendations

To mitigate this vulnerability, it’s crucial for administrators to update their Ninja Forms plugin to the latest version, as the developers have likely addressed this issue in recent patches. Additionally, administrators should be cautious of phishing attempts and avoid clicking on suspicious links or buttons.

For added security, employing Content Security Policy (CSP) headers and ensuring all plugins are regularly updated can help prevent such vulnerabilities from being exploited.


Remediation

Update to version 3.4.23