Ninja Forms’ Merge Tags Functionality is Still Vulnerable
Last week the 1+ million install WordPress plugin Ninja Forms fixed what appears to have been zero-day vulnerability involving its merge tags functionality. As part of thoroughly reviewing that, as at least one of our customers uses the plugin, we found that functionality is still vulnerable.
The developer describes that functionality this way:
Merge tags are a feature of Ninja Forms that allows data to be pulled from different sources within WordPress and populated in the location that the merge tag is placed. They can be used to pre-populate fields with logged in user metadata, pass field data from one form to another, populate email messages with the name of the submitter, and much more.
The vulnerability involved something that shouldn’t be possible if the functionality actually worked as described. As it involved someone submitting a form being able to specify merge tags to be used, while the intended functionality only should involve those creating forms being able to do that. The change made to address the vulnerability didn’t address that issue.
In Ninja Form’s default state, the submitter would get the result of their submitted merge tag in an email confirming their submission. A lot of what is accessible through that isn’t a security risk. For example, the website’s title isn’t a secret. Other things are of more concern. One of those is that the email address of the author of the post the contact form is included on can be displayed.
Some of the merge tag functionality isn’t accessible this way.
It looks like addons can extend the merge tags functionality, so more sensitive functionality might be available on some websites.
We contacted the developer of the plugin about this over the weekend, but have yet to hear back from them and the issue hasn’t been addressed so far.
Proof of Concept
- Access a page with one of the plugin’s forms.
- On a form input, add “{post:author_email}”.
- Submit the form.
- You will get an email with the email of address of the post’s author.