Login

Tag Archives: Ninja Forms

Plugin Security Scorecard Grade for Ninja Forms

Checked on May 15, 2025
F

See issues causing the plugin to get less than A+ grade

27 Jul 2023

WordPress Security Providers Delaying Vulnerability Disclosures Doesn’t Stop Hackers From Figuring Them Out

This week we have been covering a mess that started with the developers of the Freemius library not properly handling a security issue we reported to them last year. Instead of addressing the issue at the time, they put out a post criticizing and lying about what had gone on. They wrote this about us warning about the vulnerabilities after they had released an incomplete fix (without giving us a chance to review the changes first):

Unlike last time, we didn’t even try to ask the reporter to remove the article as we’ve learned it’s a waste of time and our request can only backfire on us. Instead, we politely tried to understand the reasoning behind the unexpected disclosure to assess if/how we could avoid it in the future. [Read more]

14 Jul 2023

Not Really a WordPress Plugin Vulnerability, Week of July 14

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Arbitrary File Deletion in Ninja Forms

Patchstack recently claimed that there had been an arbitrary file deletion vulnerability in Ninja Forms. They, in part, described that this way: [Read more]

12 Jul 2023

Information Disclosure Vulnerability in Ninja Forms Incompletely Fixed

The recent version 3.6.26 of the WordPress plugin Ninja Forms includes what the developer describes as a number of “security enhancements”. One of those being “[p]revent unauthorized download of submission”. That sounds less like an enhancement and more of a vulnerability. We confirmed it was a vulnerability and that it had been incompletely fixed.

Looking at the changes made in that version, we found that this appeared to relate to legacy functionality that still exists in the plugin despite not normally being used. [Read more]

3 Feb 2023

Not Really a WordPress Plugin Vulnerability, Week of February 3

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Stored Cross-Site Scripting via Import in Ninja Forms

Automattic’s WPScan claimed there had been an admin+ stored cross-site scripting via import vulnerability in the plugin Ninja Forms. They explained it this way: [Read more]

14 Oct 2022

Not Really a WordPress Plugin Vulnerability, Week of October 14

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ PHP Objection Injection in Ninja Forms

Automattic’s WPScan claimed there was an admin+ PHP objection injection vulnerability in Ninja Forms. Presumably they were trying to refer to “PHP object injection”. They explained it this way: [Read more]

1 Jul 2022

Not Really a WordPress Plugin Vulnerability, Week of July 1

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Stored Cross-Site Scripting in Ninja Forms

Automattic’s WPScan made this claim about a supposed admin+ stored cross-site scripting vulnerability in the plugin Ninja Forms: [Read more]

20 Jun 2022

Ninja Forms’ Merge Tags Functionality is Still Vulnerable

Last week the 1+ million install WordPress plugin Ninja Forms fixed what appears to have been zero-day vulnerability involving its merge tags functionality. As part of thoroughly reviewing that, as at least one of our customers uses the plugin, we found that functionality is still vulnerable.

The developer describes that functionality this way: [Read more]

17 Jun 2022

Clearing Up Some Claims Made About the Remote Code Execution (RCE) Vulnerability Fixed in Ninja Forms

Two days ago, WPScan described a vulnerability fixed in the WordPress plugin Ninja Forms the day before this way:

The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have been exploiting such issue since June 9th, 2022 [Read more]

27 May 2022

Our Proactive Monitoring Caught a CSRF/PHP Object Injection Vulnerability in 1+ Million Install WordPress Plugin Ninja Forms

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Late last year we expanded on that for our customers, by running plugins used by our customers, even when code in them is not updated, through the same system on a weekly basis. We just made a significant improvement to the automated portion of that monitoring. Through that, we caught a less serious variant of one of those vulnerabilities, a cross-site request forgery (CSRF)/PHP object injection vulnerability in Ninja Forms. Which, besides being used by at least one of our customers, is used on 1+ million websites according to wordpress.org’s stats.

That Ninja Forms has yet another vulnerability isn’t surprising considering the developer’s security track record, which includes disclosing a fairly serious unfixed vulnerability last year (doing that alongside Wordfence) and still not having addressed an incorrect security fix, which we notified them about in January. [Read more]

17 Mar 2022

Vulnerability Details: Information Disclosure in Ninja Forms

Back in September we discussed a situation where the developer of the WordPress plugin Ninja Forms had disclosed an unfixed vulnerability in their plugin, by including a fix in the Subversion repository that underlies WordPress’ plugin directory, but not making that available for normal download. That has happened again.

[Read more]