An authenticated attacker who abuses the flaw could export personal data submitted to websites via forms built with the extension.
The plugin’s developer, Saturday Drive, addressed the flaw in version 3.5.8, which it released yesterday (September 7) after a delay to the rollout of an otherwise seemingly rapid fix.
The insecure code was introduced in version 3.5.5, according to a blog post published by WordPress security service Plugin Vulnerabilities.
As well as updating their systems, Plugin Vulnerabilities recommends that website administrators running vulnerable versions who grant ‘untrusted’ individuals access to WordPress accounts could review “log files for the website to make sure there haven’t been any requests for the relevant path” to exploitation.
It also criticized Saturday Drive for submitting a new version of the plugin to the Subversion repository underlying the WordPress Plugin Directory back on August 17, more than three weeks before releasing an official software update.
A description of, and code change for, the fix were also committed publicly on the WordPress Plugin Directory that, if seen by malicious actors, made it “trivial to exploit the vulnerability,” said Plugin Vulnerabilities.
Stuart Sequeira, lead engineer for Ninja Forms at Saturday Drive, responded quickly to The Daily Swig’s queries, saying that he “put in a fix” the day after security vendor Wordfence alerted them to the flaw, but admitted to an oversight that has since led them to introduce greater automation in releasing fixes.
“I’ve been working on an internal process to track, remedy, and release security fixes with proper disclosure on a fast cycle,” he explained.
“In this process, while we got the fix done immediately, I failed to turn it around and get it out the next day, which is what should have happened; instead it was in normal cycle.
“As part of our internal process corrections to error-proof this in the future, we have implemented an automated build and release protocol such that security fixes, once we implement them, will be released almost immediately.”
‘Possible leg up’
Plugin Vulnerabilities also accused Wordfence, the WordPress security specialist, of “giving [malicious] hackers a possible leg up” in advance of a software update being readily available.
This was because they added a rule to its Web Application Firewall (WAF), which was available to non-paying customers on September 2 and premium subscribers 30 days earlier, that revealed clues about the vulnerability’s existence and provenance.
Part of the rule apparently seeks a request path containing ‘ninja-forms-submissions’ that a hacker could link to the plugin by using the website WP Directory.
Wordfence has yet to respond to our queries about this, but we will update the story if and when they do so.