Security News > 2023 > July > Multiple Flaws Found in Ninja Forms Plugin Leave 800,000 Sites Vulnerable
Multiple security vulnerabilities have been disclosed in the Ninja Forms plugin for WordPress that could be exploited by threat actors to escalate privileges and steal sensitive data.
The flaws, tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, impact versions 3.6.25 and below, Patchstack said in a report last week.
Users of the plugin are recommended to update to version 3.6.26 to mitigate potential threats.
Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
The disclosure comes as Patchstack revealed another reflected XSS vulnerability flaw in the Freemius WordPress software development kit affecting versions prior to 2.5.10 that could be exploited to obtain elevated privileges.
Also discovered by the WordPress security company is a critical bug in the HT Mega plugin present in versions 2.2.0 and below that enables any unauthenticated user to escalate their privilege to that of any role on the WordPress site.
News URL
https://thehackernews.com/2023/07/multiple-flaws-found-in-ninja-forms.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-19 | CVE-2023-38393 | Missing Authorization vulnerability in Ninjaforms Ninja Forms Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25. | 8.8 |
| 2024-06-19 | CVE-2023-38386 | Missing Authorization vulnerability in Saturday Drive Ninja Forms.This issue affects Ninja Forms: from n/a through 3.6.25. | 0.0 |
| 2023-07-27 | CVE-2023-37979 | Cross-site Scripting vulnerability in Ninjaforms Ninja Forms Unauth. | 6.1 |