QID 150638

Date Published: 2023-01-20

QID 150638: WordPress Ninja Forms Plugin: Deserialization Vulnerability (CVE-2022-2903)

Ninja Forms is a popular WordPress plugin designed to enhance WordPress sites with easily customizable forms.

Affected versions of Ninja Forms plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

Affected Versions:
Ninja Forms prior to version 3.6.13

QID Detection Logic:
This QID sends a HTTP GET request and checks for vulnerable version of WordPress plugin running on the target application.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.

CVSS V3 rated as High - 7.2 severity.

CVSS V2 rated as High - 6.5 severity.

Solution

Customers are advised to upgrade to Ninja Forms 3.6.13 or later to remediate this vulnerability. For more information regarding this vulnerability please refer WPScan Advisory

Vendor References

WPScan Advisory - wpscan.com/vulnerability/255b98ba-5da9-4424-a7e9-c438d8905864

CVEs related to QID 150638

CVE-2022-2903 |

Software Advisories

Advisory ID	Software	Component	Link
Ninja Forms Downloads			wordpress.org/plugins/ninja-forms/

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].