There is a new vulnerability in WordPress Plugin Ninja Forms που επηρεάζει όλες τις εκδόσεις έως και την 3.6.3. Η ευπάθεια επιτρέπει SQL injection, που δίνουν στον επιτιθέμενο πρόσβαση να τρέξει ερωτήματα στην βάση δεδομένων μέσω των κενών πεδίων της φόρμας.
The plugin developer released version 3.6.4 before two days.
The Ninja Forms add-on allows you to design forms on WordPress sites and currently has more than 1 million active installations. However, this plugin often reveals vulnerabilities, such as that reported September 22, 2021 by WordFence. The new vulnerability is supposed to have been fixed with version 3.6.4, without further details being revealed.
There is currently no detailed description of how this could be done exploit this vulnerability with the ID CVE-2021-24889. But on November 4th, the developers plan to publish a PoC showing this.
For the record the vulnerability in the Ninja Forms plugin reported in late September involved unprotected requests through the REST API, which allowed attackers to skim off sensitive data or send emails injections.