• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
Computer Business World News

Computer Business World News

Trending News about Computers, Business and Tech

  • Home
  • BUSINESS
  • CAREERS
  • CLOUD
  • COMPUTERS
  • CYBERSECURITY
  • I.T.
  • TECH
  • VOIP
  • About

WordPress plugin exploit puts more than one million sites at risk WordPress logo

February 18, 2021 by CBW Reporter

Four severe vulnerabilities have been identified in a single WordPress plugin used by more than one million websites. The bugs were discovered affecting the Ninja Forms plugin, a drag-and-drop form builder, and could be used to take over a WordPress site and redirect administrators to malicious portals.

The first flaw makes it possible to redirect site owners to arbitrary locations, taking advantage of the wp_safe_redirect function. Attackers could craft a link with a redirect parameter that takes the site owner to a malicious URL by indicating that an inquiry into a site’s unusual behavior was taking place. This could be enough to convince the administrator to unwittingly click on the malicious link.

The second vulnerability allows attackers to intercept email traffic, providing they have subscriber level access or above. The third makes it possible for attackers to access the Ninja Forms central management dashboard by gaining access to the authentication key, while the fourth flaw allows threat actors to disconnect a site’s OAuth Connection, meaning that there would be no way of carrying out access delegation.

Severe vulnerabilities

“In today’s post, we detailed four flaws in the Ninja Forms plugin that granted attackers the ability to obtain sensitive information while also allowing them the ability to redirect administrative users,” Chloe Chamberland, a member of the Wordfence Threat Intelligence Team, said. “These flaws have been fully patched in version 3.4.34.1. We recommend that users immediately update to the latest version available, which is version 3.5.0 at the time of this publication.”

The four flaws have been granted different levels of severity, with the most dangerous being given a CVSS score of 9.9. However, given the popularity of the affected plugin, even the least severe threat should be patched as soon as possible.

Ninja Forms released a fix for three of the vulnerabilities on January 25, with the final flaw patched on February 8.

Via Wordfence

View Source

Filed Under: TECH

Primary Sidebar

More to See

Telarus’ UCaaS/CCaaS Provider Portfolio Now Includes Simplicity VoIP

[ad_1] Simplicity VoIP brings Netsapiens technology to the Telarus community. Telarus has added Simplicity VoIP, the provider of UCaaS … [Read More...] about Telarus’ UCaaS/CCaaS Provider Portfolio Now Includes Simplicity VoIP

Quantum computing hits the desktop, no cryo-cooling required

[ad_1] Superconducting quantum computers are huge and incredibly finicky machines at this point. They need to be isolated from anything that might … [Read More...] about Quantum computing hits the desktop, no cryo-cooling required

True Palo Alto Networks Exam Questions With Updated PSE-Strata Ideal Quality Of PDF Exam Dumps

[ad_1] Up Grade Your Vision And Skillset with Palo Alto Networks PSE-Strata Exam PDF DumpsAs of these days if we see lots of Palo Alto Networks … [Read More...] about True Palo Alto Networks Exam Questions With Updated PSE-Strata Ideal Quality Of PDF Exam Dumps

Footer

SITE INFORMATION

COMPUTER BUSINESS WORLD NEWS

About/Contact

Privacy Policy

Thank you for visiting our website.

Recent

  • Vytelle Closes Oversubscribed Series A
  • Telarus’ UCaaS/CCaaS Provider Portfolio Now Includes Simplicity VoIP
  • Quantum computing hits the desktop, no cryo-cooling required

Search

Copyright © 2022 Computer Business World