- Joined
- Sep 3, 2014
- Messages
- 6,244
- Likes
- 13,129
- Degree
- 9
I've been wanting to make this thread for a while but always am too busy to fire it off. Almost every day another vulnerability is found in commonly used Wordpress plugins. I know Wordpress wants to set up a system to force auto-updates for these cases, but it doesn't exist yet and lots of people can't opt into it anyways or it risks breaking their sites further.
The point of this is two-fold:
____
Today's vulnerability is...
Ninja Forms
Update Available: Yes
Vulnerability Rating: Severe
Type: Cross-Site Request Forgery (CSRF) & Cross-Site Scripting (XSS)
Link: https://ninjaforms.com
Basically, a form can be submitted with a script in such a way that, which is not sanitized or validated by nonces, that executes the script and adds new administrator accounts. From there, they can do whatever they want to your site. Update to Ninja Forms version 3.4.24.2 to patch this vulnerability.
The point of this is two-fold:
- Every additional plugin you install increases your risk of being hacked or harmed in some regard.
- Many plugins are coded poorly which also impact your speed and user experience.
____
Today's vulnerability is...
Ninja Forms
Update Available: Yes
Vulnerability Rating: Severe
Type: Cross-Site Request Forgery (CSRF) & Cross-Site Scripting (XSS)
Link: https://ninjaforms.com
Basically, a form can be submitted with a script in such a way that, which is not sanitized or validated by nonces, that executes the script and adds new administrator accounts. From there, they can do whatever they want to your site. Update to Ninja Forms version 3.4.24.2 to patch this vulnerability.