WordPress Ninja Forms Plugin Vulnerability Patched – SQL Injection

Updated on

WordPress Ninja Forms Vulnerability

The popular WordPress plugin Ninja Form has recently updated its plugin to address a serious vulnerability. This vulnerability is considered very serious because it could allow an attacker to hack wordpress site, steal access at the administrator level and take over the entire website.

A WordPress plugin with over 1 million installations, namely XSS vulnerability in WordPress Ninja Forms, was discovered by the Threat Intelligence team. Through this vulnerability, an attacker could easily trick an administrator to import a contact form which contains malicious JavaScript, followed by the replacement of an existing contact form with a malicious version.

According to their Responsible Disclosure Guidelines, the Ninja security team was approached by the Cybersecurity professionals and they got a response within a span of a few hours. It took less than 24hours after the team was contacted to patch the plugin on April 28, 2020. All WordPress users, irrespective of whether they are premium users or not, are shielded from XSS attempts against this vulnerability by WordPress WAF (web application firewall) plugin which supports a built-in WordPress XSS protection.


WordPress Plugin Ninja Forms Cross-Site Scripting Exploit

Description: Cross-Site Request Forgery to Stored Cross-Site Scripting
Affected Plugin: Ninja Forms
Plugin Slug: ninja-forms
Affected Versions: <
CVE ID: CVE-2020-12462
CVSS Score: 8.8 (High)
Fully Patched Version:
Plugin description:
# Ninja Forms is the ultimate FREE form creation tool for WordPress. Build forms within minutes 
# using a simple yet powerful drag-and-drop form creator. For beginners, quickly and easily 
# design complex forms with absolutely no code. For developers, utilize built-in hooks, 
# filters, and even custom field templates to do whatever you need at any step in 
# the form building or submission using Ninja Forms as a framework.

A “legacy” mode is featured as one of the plugins for the Ninja Forms. It allows a user to reform the features and styles such that they match the final 2.9.x version of the plugin. Several AJAX functions intended to import various fields and forms among the default mode and the “legacy” mode are also additions to this feature. All these functions mentioned above-used capability checks, except two of the important functions which provided with the verification of a legitimate user as per the requests sent,  ninja_forms_ajax_import_form, is one particular function that allows forms containing custom HTML to be imported:






















add_action( ‘wp_ajax_ninja_forms_ajax_import_form’, ‘ninja_forms_ajax_import_form’ );

function ninja_forms_ajax_import_form(){

   if( ! current_user_can( apply_filters( ‘ninja_forms_admin_upgrade_import_form_capabilities’, ‘manage_options’ ) ) ) return;


   $import = stripslashes( $_POST[ ‘import’ ] );


   $form_id = ( isset( $_POST[ ‘formID’ ] ) ) ? absint( $_POST[ ‘formID’ ] ) : ”;


   WPN_Helper::delete_nf_cache( $form_id ); // Bust the cache.


   Ninja_Forms()->form()->import_form( $import, TRUE, $form_id, TRUE );


   if( isset( $_POST[ ‘flagged’ ] ) && $_POST[ ‘flagged’ ] ){

       $form = Ninja_Forms()->form( $form_id )->get();

       $form->update_setting( ‘lock’, TRUE );




   echo json_encode( array( ‘export’ => WPN_Helper::esc_html($_POST[‘import’]), ‘import’ => $import ) );



It was possible to import a malicious JavaScript infected form into the site by spoofing a request through an administrator’s session, which could be tricked to click a crafted link by an attacker. There was also a high possibility of any one of the imported forms to be replaced by an existing one on the site by simply setting up the formID $_POST parameter to an existing form’s ID.

Vulnerability Disclosure Policies Are Important

Vulnerability Disclosure Policies

A coordinated vulnerability disclosure policy is a set of rules previously determined by an organization responsible for information or communication technologies authorizing security researchers or the general public to search, with good intentions, for potential vulnerabilities in its systems, or to transmit to it any relevant information discovered on this subject. These rules, generally made public on a website, make it possible to set a legal framework for collaboration between the responsible organization and the participants in the policy.

VDP is one of the reasons that this plugin has been fixed so quickly is that the plugin team maintains a responsible security disclosure policy, often referred to as a vulnerability disclosure policy. This allowed us to contact them directly with our full disclosure rather than spending days trying to find or verify the appropriate contact channel. Although we have sometimes seen plugins patched in less than 24 hours in the past, responses like this are exceptional and indicate a serious dedication to security.

If you are responsible for any type of software product or service, having a Vulnerability Disclosure Policy (VDP) not only improves your chances of being alerted to severe security issues but also allows you to set expectations for the response. More importantly, it reduces the risk of vulnerabilities in your products being exposed prematurely or irresponsibly and attacked by bad actors before you have a chance to fix them. For these reasons, we strongly recommend that you implement a VDP to improve not only the effectiveness of your response to specific vulnerabilities but also the general security of your product.

Vulnerability to cross-site infringement requests

The exploitation that causes it is called Cross-Site Request Forgery. This type of WordPress vulnerability exploits the absence of a normal security check, which allows an attacker to download or replace files and even to obtain administrative access.

This is how the Common Weakness Enumeration site describes this kind of exploit:

“The web application does not check, or cannot check enough, whether a well-formed, valid and consistent request has been intentionally provided by the user who submitted the request.

…it could be possible for an attacker to trick a client into making an involuntary request to the web server which will be treated as an authentic request, and may result in data exposure or involuntary code execution”.

Also Read : WordPress SQL injection – How to Fix & Prevent SQLi Hack

Ninjas Become Very vulnerable

WordPress Security experts discovered the exploit and immediately notified the publishers of the WordPress Ninja Forms plugin. Ninja Forms immediately corrected the security vulnerability within 24 hours.

According to experts, the vulnerability was contained in a “legacy” mode which controlled the style functions which reverted to an older version. It is this part of the code that has been affected.

Ninja Forms Vulnerability described:



“While all of these functions used capacity checks, two of them failed to check nonces, which are used to verify that a request was intentionally sent by a legitimate user.

…malicious script executed in an administrator’s browser could be used to add new administrative accounts, which would lead to complete takeover of the site, while malicious script executed in a visitor’s browser could be used to redirect this visitor to a malicious site”.

Also Read: Best WordPress Security Services

The Ninja form a logbook

The publishers of the Ninja Forms plugin have updated their plugin responsibly and in a timely manner. They also honestly reflected the purpose of the update in their changelog.

A changelog is an explanation of what has changed in a software update. Some plugin manufacturers try to hide the subject of the update by not mentioning the vulnerabilities.

Ninja Forms honestly reported what it was about in this update. This is very important for publishers, as it lets them know whether an update should be done immediately or whether it can wait.

This shows that Ninja Forms is a reliable and responsible WordPress plugin editor.


April 27, 2020 19:00 UTC – The Threat Intelligence Team discovers and analyzes the vulnerability and verifies that existing Firewall Rules provide sufficient protection against WordPress XSS attack.

April 27, 2020 20:27 UTC – We receive a response that a patch should be available soon.

April 28, 2020 19:00 UTC – Patched version of the plugin released.

Update Ninja Forms Now

Update ninja forms WordPress plugin

All editors using Ninja Forms are requested to immediately update their Ninja Forms plugin. Version of Ninja Forms is the latest version. If you have an earlier version, you must update your plugin to avoid this serious vulnerability.

You can find Ninja Forms changelog here which will help you keep abreast of any additional security updates


For the Ninja Forms WordPress plugin, a Cross-Site Request Forgery vulnerability has been detailed out by the security experts today. All the users are immediately recommended to update to the new available version, which has been fully patched of this flaw.

Sites running the WordPress firewall software, regardless of whether these sites are premium users or free users of the plugin, are protected from Cross-Site Scripting attacks against this vulnerability on account of the firewall’s built-in security features. To help people secure their sites, it is advisable to spread this knowledge as much as possible among people who might be using this plugin. Get in touch with our wordpress security developers to guide you further. Is your wordpress hacked? Scan your website today to find our any vulnerable plugin .

Further Reading