Security advisories have been released concerning vulnerabilities in two widely used WordPress contact form plugins, potentially impacting over 1.1 million installations. Users are urged to update their plugins to the latest versions to mitigate the risks.
The affected plugins are Ninja Forms (with over 800,000 installations) and Fluent Forms (installed on more than 300,000 sites). These vulnerabilities are unrelated, stemming from separate security flaws.
Ninja Forms is vulnerable due to a failure to properly escape a URL, which can lead to a reflected cross-site scripting (XSS) attack. On the other hand, the Fluent Forms vulnerability arises from an insufficient capability check, which could allow unauthorized API modifications.
The Ninja Forms plugin is at risk from a reflected XSS vulnerability, which could enable attackers to target admin-level users and potentially gain control of the website by tricking them into clicking a malicious link. The vulnerability is currently being evaluated and has not yet been assigned a CVSS (Common Vulnerability Scoring System) score.
The Fluent Forms vulnerability is caused by a missing capability check, allowing unauthorized users to modify an API. For this exploit to work, the attacker needs at least subscriber-level access, which is possible on sites where user registration is enabled. This vulnerability has been rated a medium severity with a CVSS score of 4.2.
Users of both plugins are strongly advised to update to the latest versions. The current version of Fluent Forms is 5.2.0, while Ninja Forms has been updated to version 3.8.14.
