Security News > 2023 > July > WordPress Ninja Forms plugin flaw lets hackers steal submitted data

WordPress Ninja Forms plugin flaw lets hackers steal submitted data
2023-07-27 17:00

Popular WordPress form-building plugin Ninja Forms contains three vulnerabilities that could allow attackers to achieve privilege escalation and steal user data.

The second and third problems, tracked as CVE-2023-38393 and CVE-2023-38386, respectively, are broken access control issues on the plugin's form submissions export feature, allowing Subscribers and Contributors to export all of the data that users have submitted on the impacted WordPress site.

Any site that supports membership and user registrations would be susceptible to massive data breach incidents due to that flaw if they use a vulnerable Ninja Forms plugin version.

WordPress Stripe payment plugin bug leaks customer order details.

WordPress AIOS plugin used by 1M sites logged plaintext passwords.

Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs.


News URL

https://www.bleepingcomputer.com/news/security/wordpress-ninja-forms-plugin-flaw-lets-hackers-steal-submitted-data/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-06-19 CVE-2023-38393 Unspecified vulnerability in Ninjaforms Ninja Forms
Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25.
network
low complexity
ninjaforms
8.8
2024-06-19 CVE-2023-38386 Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25.
0.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Wordpress 7 2 93 44 18 157
Plugin 2 0 13 1 0 14