On August 3, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities that were discovered in Ninja Forms, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an attacker to export sensitive information and send arbitrary emails from a vulnerable site that could be used to phish unsuspecting users.
Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 2, 2021. Sites still using the free version of Wordfence received the same protection on September 1, 2021.
We sent the full disclosure details to Ninja Forms on August 3, 2021, as per the security disclosure policy listed on Ninja Forms website. Ninja Forms quickly acknowledged the report the same day and informed us that they would start working on a patch immediately. A patch was released on September 7, 2021 in version 3.5.8.
We strongly recommend updating immediately to the latest patched version of Ninja Forms to patch these security issues, which is version 126.96.36.199 of Ninja Forms at the time of this publication.
Description: Unprotected REST-API to Sensitive Information Disclosure
Affected Plugin: Ninja Forms
Plugin Slug: ninja-forms
Affected Versions: <= 3.5.7