• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
WordPress Vulnerablity Disclosre

SQL Injection Vulnerability in Ninja Forms

August 16, 2016Marc-Alexandre MontpasEspanol

Security Risk: Dangerous

Exploitation Level: Easy/Remote

DREAD Score: 6/10

Vulnerability: SQL Injection

Patched Version: 2.9.55.2

FacebookTwitterSubscribe

As part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites.

Vulnerability Disclosure Timeline:

  • August 11th 9:35 am, 2016 – Initial report to the Ninja Forms team
  • August 11th 2:49 pm, 2016 – Public release of version 2.9.55.2, fixing the vulnerability

Are You at Risk?

The attack vector used to exploit this vulnerability requires the attacker to have an account on the victim’s site. It doesn’t matter what the account privileges are – for example, a subscriber could exploit this issue. The issue occurs because the plugin doesn’t escape parameters provided by its shortcodes before concatenating it to an SQL query.

A malicious individual using this bug could (among other things) leak the site’s usernames and hashed passwords. In certain configurations, it can also leak WordPress secret keys.

Technical Details

SQL injections tend to be trickier to find in popular plugins now than they used to be, partly due to the increasing popularity of prepared statements like $wpdb->prepare(). That’s why when we stumbled upon the following snippet of code, we thought it could be interesting to investigate a bit further:

 

Suspicious Ninja Forms code snippet
Suspicious Ninja Forms code snippet

As you can see, the $meta_value variable (which contains the content of $form_id) is concatenated to the SQL query without being escaped first.

Ninja forms vulnerability
Direct user input

We found the function being used in a couple of places with direct user input as its first argument. While this would have been an SQL injection by itself in other PHP applications, it’s not the case with WordPress as it automatically escapes $_GET, $_POST and $_REQUEST when booting up. So we had to look a bit further to find some snippets that could be exploited. That’s when we found this snippet:

ninja forms vulnerability shortcode generation
Shortcode generation

Basically speaking, it registers the shortcode ninja_forms_display_sub_number using the WordPress Shortcode API and sets its callback function to the one we see above. From there, $atts contains the list of parameters the shortcode contains in their raw, unescaped value. This means if a user wrote a post containing a shortcode like [ninja_forms_display_sub_number id=”123′ SQL INJECTION OCCURS HERE”], he could perform an SQL injection attack.

Now, it isn’t that much of a big vulnerability if it’s restricted to more privileged users, so we had to dig deeper to find out how we could use this attack with less privileged accounts.

ninja forms vulnerability allows shortcode execution from wordpress core
Function in WordPress core allowing shortcodes execution

That’s when we found this function in WordPress core. It’s accessible by sending a POST request to /wp-admin/admin-ajax.php using the parse-media-shortcode POST action parameter. As you may understand from the code, it allows any user to execute any shortcodes they want (using do_shortcode), as long as it’s not embedded. To access this snippet one would need to POST a request like:

ninja forms vulnerability post request example
Example of malicious post request

Using this attack vector, the attacker would be able to exploit the vulnerability with low-privileged accounts, like subscribers.

Update as Soon as Possible

If you’re using a vulnerable version of this plugin, yes, update as soon as possible! In the event where you cannot do this, we strongly recommend leveraging the Sucuri Firewall or equivalent technology to have the vulnerability patched virtually.

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, WordPress SecurityTags: SQL Injection, WordPress Plugins and Themes

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Comments

  1. Kevin Stover

    August 16, 2016

    Hey Marc,

    Thanks for reporting this to us properly and allowing us to take care of the issue quickly! We appreciate the direct communication.

    For users, if you’re on version 2.9.55.2 or higher, your site isn’t vulnerable.

    Thanks again!

    • Daniel Cid

      August 16, 2016

      Thanks for the update. Also, great turn around from you guys. That was a quick response/patch timeline.

      • Thomas Zickell

        August 30, 2016

        Daniel you guys are always on the cutting-edge, thanks man!

    • Marc Montpas

      August 17, 2016

      I gotta say I had a good experience reporting this vuln to you guys, loved how you quickly handled the whole process.. Definitely a good example for all developers to follow. 🙂

  2. Niall Flynn

    August 17, 2016

    So good when these are accepted, patched and all is well in no time with no fuss 🙂

    • Daniel Cid

      August 23, 2016

      That’s how things should be!

  3. kimshivler

    August 17, 2016

    As always, Thank you Sucuri for your diligence and efforts to keep our websites safe. Thank you WP Ninjas for fixing this quickly. I depend on your forms and have updated my sites.

  4. Canuckistani

    August 17, 2016

    Already seeing a huge uptick in bot registration attempts on the one wordpress website where this plugin is in use.

  5. Ñâfìsúl Íslâm Ñâhíñ

    August 17, 2016

    Hi, I am using Sucuri Firewall in some of my blogs. But i have been with a very tough and disturbing issue with all of my blogs.
    The Issue is: I see someone is posting spamy posts like “movie torrent, downloads etc” to my blogs and that too using my own administrative account. First i suspected a plugin named “WP Core 3” and i deleted the plugin but somehow the plugin used to get installed automatically no matter how many times i deleted them.

    I tried reinstalling one of my new blog (replacing with new files except wpconfig and wpcontents.) and deleted all the themes and plugins, then changed the SALT key. I thought the issue wont repeat with this blog now. But unexpectedly it happened again. 🙁
    Can i get some suggestion to get this issue fixed forever. I searched google but no effective results were found.

    • Daniel Cid

      August 23, 2016

      Mind sending the details in private to dcid@sucuri.net? We will check what is going on.

      thanks!

  6. Gal Ish Shalom

    August 17, 2016

    You mention in the article that: “WordPress … automatically escapes $_GET, $_POST and $_REQUEST when booting up”. Can you give a reference or send more details on that ?

  7. Gal Ish Shalom

    August 23, 2016

    Thanks! I did wonder why $_POST args have slashes before quotes in wordpress…
    But why is this useful ?
    Database queries should be performed using prepared mysqli_stmt that escape this these arguments, right ?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.