- This topic has 0 replies, 1 voice, and was last updated 9 years ago by
.
- Posts
Vulnerability Alert by Sucuri
We’re reaching out to you today to ensure that you are up to date regarding the latest security issues that may be affecting your website. Keeping our community safe and educated is of great importance to us.
As part of our regular research audits we discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites.
The attack vector used to exploit this vulnerability requires the attacker to have an account on the victim’s site. It doesn’t matter what the account privileges are – for example, a subscriber could exploit this issue. The issue occurs because the plugin doesn’t escape parameters provided by its shortcodes before concatenating it to an SQL query.
A malicious individual using this bug could (among other things) leak the site’s usernames and hashed passwords. In certain configurations, it can also leak WordPress secret keys.
Security Risk: Dangerous
Exploitation Level: Easy/Remote
DREAD Score: 6/10
Vulnerability: SQL Injection
Patched Version: 2.9.55.2
- You must be logged in to reply to this topic.