• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
Computer Business World News

Computer Business World News

Trending News about Computers, Business and Tech

  • Home
  • BUSINESS
  • CAREERS
  • CLOUD
  • COMPUTERS
  • CYBERSECURITY
  • I.T.
  • TECH
  • VOIP
  • About

WordPress plugin exploit puts more than one million sites at risk WordPress logo

by

Four severe vulnerabilities have been identified in a single WordPress plugin used by more than one million websites. The bugs were discovered affecting the Ninja Forms plugin, a drag-and-drop form builder, and could be used to take over a WordPress site and redirect administrators to malicious portals.

The first flaw makes it possible to redirect site owners to arbitrary locations, taking advantage of the wp_safe_redirect function. Attackers could craft a link with a redirect parameter that takes the site owner to a malicious URL by indicating that an inquiry into a site’s unusual behavior was taking place. This could be enough to convince the administrator to unwittingly click on the malicious link.

The second vulnerability allows attackers to intercept email traffic, providing they have subscriber level access or above. The third makes it possible for attackers to access the Ninja Forms central management dashboard by gaining access to the authentication key, while the fourth flaw allows threat actors to disconnect a site’s OAuth Connection, meaning that there would be no way of carrying out access delegation.

Severe vulnerabilities

“In today’s post, we detailed four flaws in the Ninja Forms plugin that granted attackers the ability to obtain sensitive information while also allowing them the ability to redirect administrative users,” Chloe Chamberland, a member of the Wordfence Threat Intelligence Team, said. “These flaws have been fully patched in version 3.4.34.1. We recommend that users immediately update to the latest version available, which is version 3.5.0 at the time of this publication.”

The four flaws have been granted different levels of severity, with the most dangerous being given a CVSS score of 9.9. However, given the popularity of the affected plugin, even the least severe threat should be patched as soon as possible.

Ninja Forms released a fix for three of the vulnerabilities on January 25, with the final flaw patched on February 8.

Via Wordfence

View Source

Filed Under: TECH

Primary Sidebar

More to See

Russian millionaire on trial in hack, insider trade scheme

BOSTON -- A wealthy Russian businessman and associates made tens of millions of dollars by cheating the stock market in an elaborate scheme that … [Read More...] about Russian millionaire on trial in hack, insider trade scheme

After ‘The Voice’ and BET, two Mississippians give one last concert before heading to L.A. – Magnolia State Live

After ‘The Voice’ and BET, two Mississippians give one last concert before heading to L.A. Published 6:45 am Monday, January 30, 2023 … [Read More...] about After ‘The Voice’ and BET, two Mississippians give one last concert before heading to L.A. – Magnolia State Live

CSH Triples Its Computing Power

by Jake W Streamer | published Jan. 30th, 2023 … [Read More...] about CSH Triples Its Computing Power

Footer

SITE INFORMATION

COMPUTER BUSINESS WORLD NEWS

About/Contact

Privacy Policy

Thank you for visiting our website.

Recent

  • Feb 2 | New Year = New Career!
  • Russian millionaire on trial in hack, insider trade scheme
  • After ‘The Voice’ and BET, two Mississippians give one last concert before heading to L.A. – Magnolia State Live

Search

Copyright © 2023 Computer Business World