Today it was disclosed that the popular WordPress contact form called Ninja Forms patched two vulnerabilities, affecting over 1 million WordPress installations. This represents another in a growing list of REST API related vulnerabilities that are being discovered among many WordPress plugins.
It must be reiterated that there is nothing wrong with the WordPress REST API itself. The problems originate in how WordPress plugins design their interactions with the REST API.
WordPress REST API
The WordPress REST API is an interface that allows plugins to interact with the WordPress core. The REST API allows plugins, themes and other applications to manipulate WordPress content and create interactive functionalities.
This technology extends what the WordPress core can do.
The WordPress core receives data through the REST API interface from the plugins in order to accomplish these new experiences.
However, like any other interact that allows uploading or inputting of data, it is important to “sanitize” what is being input and who is able to make the input, in order to make sure the data is what is expected and designed to received.
Failure to sanitize the inputs and restrict who is able to input the data can lead to vulnerabilities.
And that’s exactly what happened here.
Permissions Callback Vulnerability
The two vulnerabilities were the result of a single REST API validation issue, specifically in the Permissions Callbacks.
The permissions callback is a part of the authentication process that restricts access to REST API Endpoints to authorized users.
The official WordPress documentation describes an endpoint as a function:
“Endpoints are functions available through the API. This can be things like retrieving the API index, updating a post, or deleting a comment. Endpoints perform a specific function, taking some number of parameters and return data to the client.”
According to the WordPress REST API documentation:
“Permissions callbacks are extremely important for security with the WordPress REST API.
If you have any private data that should not be displayed publicly, then you need to have permissions callbacks registered for your endpoints.”
Two WordPress Ninja Forms Vulnerabilities
There were two vulnerabilities that were both related to a permissions callback error in implementation.
There is nothing wrong with the WordPress REST API itself but how plugin makers implement it can lead to problems.
These are the two vulnerabilities:
Sensitive Information Disclosure
Unprotected REST-API to Email Injection
Sensitive Information Disclosure Vulnerability
The Sensitive Information Disclosure vulnerability allowed any registered user, even a subscriber, to export every form that had ever been submitted to the website. That includes all confidential information that someone may have submitted.
The Ninja Forms had a permissions callback that checked if a user was registered but it didn’t check if the user had a proper permission level to execute a bulk export of all forms submitted through the Ninja Forms WordPress plugin.
That failure to check the permission level of the user is what allowed any registered user, including a website subscriber, to execute a bulk export of all submitted forms.
The Unprotected REST-API to Email Injection
This vulnerability was due to the same faulty permissions callback that failed to check permission level of the registered attacker. The vulnerability took advantage of a Ninja Forms functionality that allows website publishers to send bulk email notifications or email confirmations in response to form submissions.
The Email Injection vulnerability allowed an attacker to use this specific Ninja Forms functionality to blast emails from the vulnerable website to any email address.
This particular vulnerability had the possibility for launching a full site takeover or a phishing campaign against a website’s customers.
According to the security researchers at Wordfence who discovered the vulnerability:
“This vulnerability could easily be used to create a phishing campaign that could trick unsuspecting users into performing unwanted actions by abusing the trust in the domain that was used to send the email.
In addition, a more targeted spear phishing attack could be used to fool a site owner into believing that an email was coming from their own site.
This could be used to trick an administrator into entering their password on a fake login page, or allow an attacker to take advantage of a second vulnerability requiring social engineering, such as Cross-Site Request Forgery or Cross-Site Scripting, which could be used for site takeover.”
Immediate Update to Ninja Forms Recommended
Security researchers are Wordfence recommend that users of the WordPress Ninja Forms plugin update their plugin immediately.
The vulnerability is rated as a medium level danger, scoring 6.5 on a scale of 1 to 10.
Read the Wordfence announcement:
Recently Patched Vulnerabilities in Ninja Forms Plugin Affect Over 1 Million Site Owners
Official Ninja Forms Changelog