Security News > 2023 > July > WordPress Ninja Forms plugin flaw lets hackers steal submitted data
Popular WordPress form-building plugin Ninja Forms contains three vulnerabilities that could allow attackers to achieve privilege escalation and steal user data.
The second and third problems, tracked as CVE-2023-38393 and CVE-2023-38386, respectively, are broken access control issues on the plugin's form submissions export feature, allowing Subscribers and Contributors to export all of the data that users have submitted on the impacted WordPress site.
Any site that supports membership and user registrations would be susceptible to massive data breach incidents due to that flaw if they use a vulnerable Ninja Forms plugin version.
WordPress Stripe payment plugin bug leaks customer order details.
WordPress AIOS plugin used by 1M sites logged plaintext passwords.
Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-06-19 | CVE-2023-38393 | Unspecified vulnerability in Ninjaforms Ninja Forms Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25. | 8.8 |
2024-06-19 | CVE-2023-38386 | Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25. | 0.0 |