A few months back, researchers from Sucuri had discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites. The vulnerability was discovered by Sucuri during their regular research audits for the Sucuri Firewall. However, it didn’t take much time to fix the issue. It was resolved quickly.
This had been a hot topic among the WordPress community. According to the Sucuri Notification:
“The attack vector used to exploit this vulnerability requires the attacker to have an account on the victim’s site. It doesn’t matter what the account privileges are – for example, a subscriber could exploit this issue. The issue occurs because the plugin doesn’t escape parameters provided by its shortcodes before concatenating it to an SQL query.
A malicious individual using this bug could (among other things) leak the site’s usernames and hashed passwords. In certain configurations, it can also leak WordPress secret keys.”
Sucuri noted in a blog that it had disclosed the issue to Ninja forms on 11th August and within 5 hours the problem was fixed and a new version had been made public. Users were asked to update the plugin as early as possible before the attackers could make their way. However, if a user has not updated their site a malicious individual exploiting this vulnerability could leak the site’s usernames & hashed passwords as well as it could also leak WordPress secret keys.
A few months back, researchers from Sucuri had discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites. The vulnerability was discovered by Sucuri during their regular research audits for the Sucuri Firewall. However, it didn’t take much time to fix the issue. It was resolved quickly.
This had been a hot topic among the WordPress community. According to the Sucuri Notification:
“The attack vector used to exploit this vulnerability requires the attacker to have an account on the victim’s site. It doesn’t matter what the account privileges are – for example, a subscriber could exploit this issue. The issue occurs because the plugin doesn’t escape parameters provided by its shortcodes before concatenating it to an SQL query.
A malicious individual using this bug could (among other things) leak the site’s usernames and hashed passwords. In certain configurations, it can also leak WordPress secret keys.”
Sucuri noted in a blog that it had disclosed the issue to Ninja forms on 11th August and within 5 hours the problem was fixed and a new version had been made public. Users were asked to update the plugin as early as possible before the attackers could make their way. However, if a user has not updated their site a malicious individual exploiting this vulnerability could leak the site’s usernames & hashed passwords as well as it could also leak WordPress secret keys.
Recent Posts
Recent Comments
Archives
Categories
Meta
About Me
Zulia Maron Duo
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore.
Popular Categories
Popular Tags