Dangerous SQL Injection Flaw Discovered in Ninja Forms WordPress Plugin

A few months back, researchers from Sucuri had discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites. The vulnerability was discovered by Sucuri during their regular research audits for the Sucuri Firewall. However, it didn’t take much time to fix the issue. It was resolved quickly.

This had been a hot topic among the WordPress community.  According to the Sucuri Notification:

“The attack vector used to exploit this vulnerability requires the attacker to have an account on the victim’s site. It doesn’t matter what the account privileges are – for example, a subscriber could exploit this issue. The issue occurs because the plugin doesn’t escape parameters provided by its shortcodes before concatenating it to an SQL query.

  A malicious individual using this bug could (among other things) leak the site’s usernames and hashed passwords. In certain configurations, it can also leak WordPress secret keys.”

Sucuri noted in a blog that it had disclosed the issue to Ninja forms on 11th August and within 5 hours the problem was fixed and a new version had been made public. Users were asked to update the plugin as early as possible before the attackers could make their way. However, if a user has not updated their site a malicious individual exploiting this vulnerability could leak the site’s usernames & hashed passwords as well as it could also leak WordPress secret keys.