CVE-2023-38386: Missing Authorization Vulnerability in Saturday Drive Ninja Forms Exposed and Explained

In this post, we will discuss a recently discovered vulnerability (CVE ID: CVE-2023-38386) in the popular WordPress plugin, Saturday Drive Ninja Forms. This security vulnerability exposes the affected website installations to the risk of unauthorized modifications in form settings. The issue impacts Ninja Forms versions up to and including 3.6.25. Before diving deep into the technical details and exploit scenarios, let's first understand the background information related to this vulnerability in simple American language.

Background

Ninja Forms is a widely used plugin for creating and managing contact forms on WordPress. It makes it simple for website administrators to build and customize form layouts, set up form submission actions, and manage submitted data. Recently, a security vulnerability was discovered in the plugin which could potentially allow an attacker to make unauthorized modifications to the form settings without the need for proper authentication.

This particular vulnerability is a Missing Authorization issue, meaning that the plugin does not perform appropriate checks for user permissions when certain actions are taken. This loophole allows unauthorized users with little to no privileges to make changes to the plugin's settings, potentially compromising the site's functionality and security.

Technical Details

To better understand the vulnerability, let's analyze the relevant code snippet from the Ninja Forms plugin:

// file: includes/Admin/AJAX.php
public function ajax_action() {
    check_ajax_referer( $this->_nonce, 'security' );
    $form_data = json_decode( stripslashes( $_POST['form_data'] ) );
    foreach( $form_data as $key => $form_setting ) {
        $form_data[ $key ]->value = apply_filters( 'ninja_forms_update_' . $form_setting->key, $form_setting->value );
    }
    update_option( 'ninja_forms_settings', $form_data );
    die();
}

This code processes an incoming AJAX request to update the plugin’s settings. However, the missing link here is the absence of a crucial permission check that ensures the requesting user possesses the necessary authority to update these options. As a result, even unauthenticated users can potentially update the plugin’s settings by sending a malicious AJAX request.

Exploitation Scenarios

To exploit this security vulnerability, an attacker can craft and send a malicious AJAX request as shown below:

POST /wp-admin/admin-ajax.php?action=ninja_forms_update_settings&security=[nonce] HTTP/1.1
Host: [target_site]
Content-Type: application/x-www-form-urlencoded

form_data=[attacker_payload]

Here, the [nonce] refers to a valid WordPress nonce value, and the [attacker_payload] implies the custom form data the attacker wants to modify. The challenge of obtaining a valid WordPress nonce may reduce the risk of this vulnerability being exploited. However, it is still essential to implement the proper security fixes to avoid any potential exploitation attempts.

Original References and Resources

1. NVD - CVE-2023-38386
2. WordPress Ninja Forms - Authorization Bypass via CSRF - CVE-2023-38386
3. Saturday Drive Ninja Forms Official Resource

It is absolutely crucial for website administrators to remain vigilant and up-to-date with the latest security vulnerability patches and recommendations. If you are using Ninja Forms in your website installation, it's strongly recommended to update the plugin to version 3.6.26 or later, which has the necessary fix for this security issue. By doing so, you ensure that your website stays protected from unauthorized access and any potential threats arising from this vulnerability.

Timeline

Published on: 06/19/2024 13:15:53 UTC
Last modified on: 06/20/2024 12:44:01 UTC