cbcvebase.
CVE-2016-1209
published 2016-05-14

CVE-2016-1209: The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST…

PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
61.61%
99.1th percentile
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST request.

Affected

1 ranges
VendorProductVersion rangeFixed in
ninjaformsninja_forms<= 2.9.42

Detection & IOCsextracted from sources · hover to see the quote

url/?nf-switcher=upgrade
url/?nf-switcher=rollback
path/wp-content/uploads/nftmp-<random>.php
commandaction=nf_async_upload
filenamenftmp-<random>.php
  • Detect unauthenticated GET requests containing the 'nf-switcher' parameter (values: 'upgrade' or 'rollback') used to toggle the vulnerable V3 preview mode without authentication.
  • Detect unauthenticated POST requests to the WordPress admin-ajax endpoint with action=nf_async_upload and a multipart file upload containing a .php file — indicative of exploitation.
  • Monitor for PHP files created under wp-content/uploads/ with the 'nftmp-' prefix, which is the upload destination for the malicious payload.
  • Look for the ajaxNonce pattern in HTTP responses: 'var nfFrontEnd = {"ajaxNonce":"<value>"}' — attackers scrape this nonce from any page hosting a Ninja Forms form prior to uploading.
  • Alert on serialized PHP object data in POST request bodies targeting Ninja Forms endpoints, as the plugin allows PHP object injection via crafted serialized values.
  • ·Affected versions are 2.9.36 through 2.9.42; version 2.9.42.1 and later are patched. Detection rules should scope version checks accordingly.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.