WordPress (CMS) Ninja Forms File Upload Vulnerability

The WordPress plugin Ninja Forms has several vulnerabilities, the most severe of which allows a remote unauthenticated attacker to upload arbitrary files to the server. The attacker can chain together several of these vulnerabilities to accomplish this attack. The upload vulnerability is caused by a lack of authentication checks in the source code. This vulnerability could lead to the complete compromise of the victim’s server. 

Exploitation

Stages

1. The remote unauthenticated attacker makes a request to ‘nf-switcher=upgrade’, enabling the vulnerable V3 functionality.
2. The remote unauthenticated attacker makes a request to a form to retrieve the leaked nonce.
3. The server responds with the leaked nonce.
4. The remote unauthenticated attacker makes a request to ‘wp-admin/admin-ajax.php’ to upload the payload to the server.
5. The remote unauthenticated attacker makes a request to the payload to create a reverse shell.
6. The server responds, creating the reverse shell.
7. The remote unauthenticated attacker makes a request to disable the V3 functionality.

Prerequisites

The attacker must have the ability to send arbitrary crafted packets to the victim host.

Vulnerability Description

The WordPress plugin Ninja Forms has a vulnerability that allows a remote unauthenticated attacker to upload arbitrary files to the server. The attacker can chain together several of these vulnerabilities to accomplish this attack. The attacker has to enable the 3.0 code base that is included, but not enabled, by default. From there, the attacker has to retrieve a valid nonce, which is trivial, as it is leaked in any page including a form. Finally, the attacker can upload their arbitrary file to the system. The upload vulnerability is caused by a lack of authentication checks in the source code. This vulnerability could lead to the complete compromise of the victim’s server.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

Recommendations for Mitigation

Customers are advised to perform the following actions:

• Disable the Ninja Forms plugin
• Identify if an alternative, non-vulnerable plugin is available
• Update the plugin to the latest version which does not exhibit the vulnerability