CVE-2016-1209
published 2016-05-14CVE-2016-1209: The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST…
PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
61.61%
99.1th percentile
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ninjaforms | ninja_forms | <= 2.9.42 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests containing the 'nf-switcher' parameter (values: 'upgrade' or 'rollback') used to toggle the vulnerable V3 preview mode without authentication. ↗
- →Detect unauthenticated POST requests to the WordPress admin-ajax endpoint with action=nf_async_upload and a multipart file upload containing a .php file — indicative of exploitation. ↗
- →Monitor for PHP files created under wp-content/uploads/ with the 'nftmp-' prefix, which is the upload destination for the malicious payload. ↗
- →Look for the ajaxNonce pattern in HTTP responses: 'var nfFrontEnd = {"ajaxNonce":"<value>"}' — attackers scrape this nonce from any page hosting a Ninja Forms form prior to uploading. ↗
- →Alert on serialized PHP object data in POST request bodies targeting Ninja Forms endpoints, as the plugin allows PHP object injection via crafted serialized values. ↗
- ·Affected versions are 2.9.36 through 2.9.42; version 2.9.42.1 and later are patched. Detection rules should scope version checks accordingly. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Ninja Forms 2.9.36 < 2.9.42 - File Upload (Metasploit)
exploitdb·2016-05-04
CVE-2016-1209 WordPress Plugin Ninja Forms 2.9.36 < 2.9.42 - File Upload (Metasploit)
WordPress Plugin Ninja Forms 2.9.36 'WordPress Ninja Forms Unauthenticated File Upload',
'Description' => %(
Versions 2.9.36 to 2.9.42 of the Ninja Forms plugin contain
an unauthenticated file upload vulnerability, allowing guests
to upload arbitrary PHP code that can be executed in the context
of the web server.
),
'License' => MSF_LICENSE,
'Author' =>
[
'James Golovich', # Discovery and disclosure
'Rob Carr ' # Metasploit module
],
'References' =>
[
['CVE', '2016-1209'],
['WPVDB', '8485'],
['URL', 'http://www.pritect.net/blog/ninja-forms-2-9-42-critical-security-vulnerabilities']
],
'DisclosureDate' => 'May 04 2016',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['ninja-forms', {}]],
'DefaultTarget' => 0
))
opts = [OptString.new('FORM_PATH', [true, 'The relative path of the pag
Metasploit
WordPress Ninja Forms Unauthenticated File Upload
metasploit
WordPress Ninja Forms Unauthenticated File Upload
WordPress Ninja Forms Unauthenticated File Upload
Versions 2.9.36 to 2.9.42 of the Ninja Forms plugin contain an unauthenticated file upload vulnerability, allowing guests to upload arbitrary PHP code that can be executed in the context of the web server.
No writeups or analysis indexed.
http://jvn.jp/en/jp/JVN44657371/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2016-000064http://packetstormsecurity.com/files/137211/WordPress-Ninja-Forms-Unauthenticated-File-Upload.htmlhttp://www.pritect.net/blog/ninja-forms-2-9-42-critical-security-vulnerabilitieshttp://www.rapid7.com/db/modules/exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_uploadhttps://ninjaforms.com/important-security-update-always-hurt-ones-love/https://wordpress.org/plugins/ninja-forms/changelog/https://wpvulndb.com/vulnerabilities/8485http://jvn.jp/en/jp/JVN44657371/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2016-000064http://packetstormsecurity.com/files/137211/WordPress-Ninja-Forms-Unauthenticated-File-Upload.htmlhttp://www.pritect.net/blog/ninja-forms-2-9-42-critical-security-vulnerabilitieshttp://www.rapid7.com/db/modules/exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_uploadhttps://ninjaforms.com/important-security-update-always-hurt-ones-love/https://wordpress.org/plugins/ninja-forms/changelog/https://wpvulndb.com/vulnerabilities/8485
2016-05-14
Published