WordPress Plugin, Ninja Forms, Makes Websites Vulnerable

Ninja Forms is a WordPress plugin utilized by more than 1 million sites. This allows designers to create forms using drag-and-drop capability without coding skills. This WordPress plugin contains four critical security bugs that allow hackers to take over a WordPress site. These four bugs allow lower-privileged users, even those who simply register for a site, to install arbitrary add-ons to a target site and redirect site owners to malicious destinations. 

The first bug:

Authenticated Email Hijacking and Account Takeover with SendWP Plugin allows hackers with subscriber-level access or above to use SendWP to intercept all mail traffic. This includes password reset links for administrative accounts. The SendWP Plugin is an email delivery service intended to make mail delivery simpler on WordPress.  Hackers establish a SendWP connection using their own SendWP account. This allows all mail from the WordPress site to be routed through and logged in to the hackers SendWP account. This then leads to remote code execution and site takeover. Hackers use an admin account to modify theme/plugin files or upload a malware theme/plugin. In Wordfence’s February 16, 2021 analysis of the Ninja Forms Security bugs, it is estimated that the first bug’s Common Vulnerability Scoring System Rating (CVSS) is 9.9 out of 10. 

The second bug:

Authenticated OAuth Connection Key Disclosure is a system that grants a third-party limited access into a user’s account. This is located in the Ninja Forms “Add-on Manager” service. This centralized dashboard allows users to remotely manage all purchased Ninja Force add-ons.  Hackers establish an OAuth connection from a vulnerable WordPress site to their own account. This connection must then be completed.Therefore, the hackers trick the site administrator into clicking a special link to update the client_id parameter in the site database by altering the AJAX action In turn, the targeted user then retrieves the database connection URL needed. At this point, hackers retrieve the client_id for an already established OAuth connection. Wordfence estimates the second bug’s CVSS rating is 7.7 out of 10. 

The THIRD bug:

Cross-Site Request Forgery to OAuth Service Disconnection. Hackers send a request to disconnect the current OAuth connection by crafting a legitimate request, which tricks the administrator into clicking the link and/or attachment. Wordfence estimates the third bug’s CVSS rating is 6.1 out of 10. 

The fourth and final bug:

Administrator Open Redirect, allows hackers to craft a special URL with a redirect parameter that is set to a dangerous  site. Hackers then manipulate the administrator into clicking the link which infects the administrator’s computer with malware. Wordfence estimates this fourth and final bug’s CVSS rating is 4.8 out of 10. 


If you use WordPress, especially as an admin, it is paramount to practice good cybersecurity hygiene. Beware of click-links, especially if you are connected and authenticated to a WordPress site. WordPress regularly releases patches and updates; however, in the duration of waiting, you must beware and be aware.