WordPress Ninja Forms plugin flaw lets hackers steal submitted data

2023-07-27 17:00

Popular WordPress form-building plugin Ninja Forms contains three vulnerabilities that could allow attackers to achieve privilege escalation and steal user data.

The second and third problems, tracked as CVE-2023-38393 and CVE-2023-38386, respectively, are broken access control issues on the plugin's form submissions export feature, allowing Subscribers and Contributors to export all of the data that users have submitted on the impacted WordPress site.

Any site that supports membership and user registrations would be susceptible to massive data breach incidents due to that flaw if they use a vulnerable Ninja Forms plugin version.

WordPress Stripe payment plugin bug leaks customer order details.

WordPress AIOS plugin used by 1M sites logged plaintext passwords.

Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs.

News URL

https://www.bleepingcomputer.com/news/security/wordpress-ninja-forms-plugin-flaw-lets-hackers-steal-submitted-data/

#hacker #wordpress #CVE-2023-38386 #CVE-2023-38393

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2024-06-19	CVE-2023-38393	Missing Authorization vulnerability in Ninjaforms Ninja Forms Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25. network low complexity ninjaforms CWE-862	8.8
2024-06-19	CVE-2023-38386	Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25. CWE-862	0.0

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Wordpress		7	2	95	44	18	159
Plugin		2	0	13	1	0	14

News URL

Related news

Related Vulnerability

Related vendor