Late final week, Ninja Kinds customers obtained a pressured safety replace from WordPress.org for a essential PHP Object Injection vulnerability. This specific vulnerability will be exploited remotely with none authentication. It was publicly disclosed final week and patched within the newest model, 3.6.11. Patches have been additionally backported to variations 184.108.40.206, 3.1.10, 3.2.28, 220.127.116.11, 18.104.22.168, and three.5.8.4.
Wordfence seen a back-ported safety replace within the type builder plugin, which has greater than one million lively installs. Risk analyst Chloe Chamberland defined the vulnerability in an advisory alerting the corporate’s customers:
We uncovered a code injection vulnerability that made it doable for unauthenticated attackers to name a restricted variety of strategies in numerous Ninja Kinds courses, together with a way that unserialized user-supplied content material, leading to Object Injection. This might enable attackers to execute arbitrary code or delete arbitrary information on websites the place a separate POP chain was current.
The vulnerability impacts Ninja Kinds’ “Merge Tags” function that auto-populates values from Publish IDs and usernames, for instance. Wordfence menace analyst Ramuel Gall reverse engineered the vulnerability’s patches to create a working proof of idea. He discovered that it’s doable to name numerous Ninja Kinds courses that may very well be used for a variety of exploits, together with full website takeover. Chamberland reviews there may be proof to counsel the vulnerability is being actively exploited within the wild.
WordPress.org’s pressured safety updates are a mitigation effort utilized in uncommon cases the place the vulnerability is especially extreme and impacts numerous customers. Greater than 680,000 websites have been up to date on June 14. This PHP object injection vulnerability scores 9.8 on the Frequent Vulnerability Scoring System, however it has not but been given a CVE ID.
Reviewing previous CVE ID’s for Ninja Kinds, that is essentially the most extreme vulnerability within the plugin’s historical past. Ninja Kinds’ changelog doesn’t talk the severity of the menace, categorizing it as a “safety enhancement:”
3.6.11 (14 JUNE 2022)
* Apply extra strict sanitization to merge tag values
Ninja Kinds didn’t put up concerning the safety replace on its weblog or social media accounts. Wordfence plans to replace the textual content of its advisory as the corporate learns extra about how attackers are exploiting the vulnerability. Ninja Kinds customers ought to verify their websites to make sure the automated safety replace went by means of. This replace comes only one week after Ninja Kinds patched a much less extreme, authenticated saved cross-site scripting (XSS) vulnerability on June 7.