Over 800,000 websites using the widely used Ninja Forms plugin for WordPress are at risk due to multiple security vulnerabilities. These vulnerabilities include a reflected cross-site scripting (XSS) weakness (CVE-2023-37979) that could allow unauthenticated users to escalate their privileges by tricking authorized users into visiting a malicious website. Furthermore, the plugin’s form submissions export feature has two broken access control flaws (CVE-2023-38386 and CVE-2023-38393) that could enable users with Subscriber and Contributor roles to export all Ninja Forms submissions on a WordPress site. This puts the security of the website at risk.

Mitigation:

For those using the Ninja Forms plugin, it’s essential to update to version 3.6.26 immediately to address security vulnerabilities. The update includes critical patches that can reduce the potential threats posed by the identified flaws.

Patchstack has also identified security issues in the Freemius WordPress software development kit (SDK) and the HT Mega plugin. The Freemius vulnerability (CVE-2023-33999) is a reflected XSS flaw, and the HT Mega flaw (CVE-2023-37999) lets unauthenticated users raise their privilege to any role on the WordPress site.

Due to the severity of these vulnerabilities, website administrators must quickly update the affected plugins to the latest versions. It’s necessary to ensure the security and integrity of their WordPress sites.