Login

Tag Archives: Ninja Forms

Plugin Security Scorecard Grade for Ninja Forms

Checked on May 15, 2025
F

See issues causing the plugin to get less than A+ grade

3 Sep 2021

Wordfence and Saturday Drive Provide Hackers With Critical Info to Exploit Unfixed Vulnerability in Ninja Forms

When we discover vulnerabilities, we have always warned our customers only at the same time we were publicly disclosing them, since doing otherwise would allow hackers an ability to have information that the public doesn’t. Other companies are okay with giving hackers a possible leg up and possibly profiting off them. One of those being the developers of the Wordfence Security plugin.

As a practical example of what that means, currently hackers can exploit an unfixed authenticated information disclosure vulnerability in the plugin Ninja Forms, which has 1+ million installs, because of Wordfence. Making things easier for hackers, the developer of Ninja Forms, Saturday Drive, has disclosed even more information on the vulnerability in a form easily accessible by hackers, but unlikely to be noticed by the public, but has yet to provide users of the plugin with a fix. [Read more]

12 Aug 2019

Vulnerability Details: Information Disclosure in Ninja Forms

One of the changelog entries for the latest version of Ninja Forms is headlined “Security” and says “Removed an outdated template that was localizing a couple server variables.” Looking at the changes made the only thing that we can see that seems to match that is the removal of the following code from the function output_templates() in the file /includes/Display/Render.php:

[Read more]

4 Jan 2019

Vulnerability Details: Reflected Cross-Site Scripting (XSS) in Ninja Forms

Yesterday a new version of the plugin Ninja Forms was released with the changelog entry “Patched a reflected XSS vulnerability in our administrative dashboard. Thank you to Samuel Anttila at netsec.expert for practicing responsible disclosure.” Looking at the changes made in that version we found that exactly described the issue being fixed, with the page this was occurring on named Dashboard.

[Read more]

30 Nov 2018

Vulnerability Details: Authenticated Open Redirect in Ninja Forms

We started the week out mentioning the issue of authenticated open redirects in popular plugins and it looks like we haven’t been the only ones look into this recently, as version 3.3.19.1 of the very popular Ninja Forms, which has 1+ million active installations according to wordpress.org, had this as its changelog entry:

[Read more]

16 Nov 2018

No Ninja Forms, Wordfence Security is Not Trustworthy and Blacklisting IP Addresses Doesn’t Provide Effective Protection

When it comes to choosing security products and services what is lacking is nearly any evidence that they are effective, while at the same time there is plenty that shows that many of them are not. For example, over at our main business we regularly have people asking if we offer one that will really protect their website from being hacked after the one they were using didn’t prevent their website from being hacked. So why would people being using those if there isn’t evidence that they work? One of the reasons we have heard from people we have dealt with that have had their websites hacked is that they are using products and services based on recommendation of others. Since those are not going to be based on evidence, since there is a dearth of that, not surprisingly a lot of that advice is quite bad. Take as an example of that bad advice, the most recent post on the blog of the Ninja Forms plugin, which is used on 1+ million websites. We ran across that while looking if they had released a post on the vulnerability fixed a couple of days ago, when were detailing that.

Right off the bat the post, 5 WordPress Security Plugins to Keep You Safe, puts forward the proposition that the Wordfence Security plugin is trustworthy, which seems to be disputed by reality. The post claims the Wordfence Security plugin is “one of the most trusted security plugins for WordPress”. They provide no evidence that it is trusted at all, much less one of the most trusted. Maybe by that they mean that it is tied for most popular and therefore it is trusted due to that, but that doesn’t mean it actually works at all or should be trusted (the security plugin it is tied for most popular with currently contains a vulnerability and is not needed). Near the end of their discussion of the plugin they again refer to it as “trustworthy”. [Read more]

14 Nov 2018

Vulnerability Details: Reflected XSS in Ninja Forms

One of the changelog entries for the latest version of Ninja Forms is “Patched a redirect XSS vulnerability using code injection on our submissions page.”. In looking at the changes made in that version we found that that there was a reflected cross-site scripting (XSS) vulnerability on the plugin’s admin page Submissions that was fixed.

[Read more]

4 Oct 2017

Ninja Forms Could Have Avoided Recommending and Using a Vulnerable Plugin If They Used Our Service

Back in June we disclosed a minor vulnerability in the plugin Postman SMTP that we had discovered. We were not able to contact the developer of the plugin and it hasn’t gotten fixed since we disclosed it. In the past we would have notified the Plugin Directory of the issue and the plugin would have been removed, but due to WordPress’ continued poor handling of security related matters we have suspended reporting publicly disclosed vulnerabilities in the current version of plugins until they take concrete steps to start notifying people when they are using removed plugins and improve their forum moderation (which causes problems for people trying to get vulnerabilities fixed).

Whether due to this vulnerability or something else the plugin was removed from the Plugin Directory yesterday. In looking to see if there was any information that indicated there might be some other issue with the plugin we noticed this recent tweet: [Read more]