CVE-2021-24163
📋 TL;DR
This vulnerability in the Ninja Forms WordPress plugin allows low-privileged users (like subscribers) to install and activate the SendWP plugin without authorization and retrieve sensitive client_secret keys. It affects WordPress sites using Ninja Forms before version 3.4.34. The flaw exists due to missing capability checks and nonce protection in an AJAX handler.
💻 Affected Systems
- Ninja Forms Contact Form - The Drag and Drop Form Builder for WordPress
📦 What is this software?
Ninja Forms by Ninjaforms
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to SendWP connection secrets, potentially compromising email communication systems and enabling further attacks on connected services.
Likely Case
Low-privileged users install unauthorized plugins and access sensitive configuration data, leading to potential data exposure and unauthorized system modifications.
If Mitigated
With proper access controls, only administrators can perform plugin installations and access sensitive configuration data.
🎯 Exploit Status
Exploitation requires at least subscriber-level access. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.34
Vendor Advisory: https://wpscan.com/vulnerability/55fde9fa-f6cd-4546-bee8-4acc628251c2
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Ninja Forms plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.4.34+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable wp_ajax_ninja_forms_sendwp_remote_install_handler function
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_ninja_forms_sendwp_remote_install_handler', 'ninja_forms_sendwp_remote_install_handler');
Restrict user capabilities
allTemporarily limit subscriber and contributor capabilities to prevent exploitation
Use WordPress role management plugin to restrict 'install_plugins' and 'activate_plugins' capabilities
🧯 If You Can't Patch
- Implement strict access controls to limit low-privileged user access to WordPress admin areas
- Monitor and audit plugin installation activities and AJAX requests for suspicious behavior
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Ninja Forms → Version. If version is below 3.4.34, system is vulnerable.Check Version:
wp plugin list --name=ninja-forms --field=version (WP-CLI) or check WordPress admin interfaceVerify Fix Applied:
Confirm Ninja Forms version is 3.4.34 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- AJAX requests to admin-ajax.php with action=ninja_forms_sendwp_remote_install_handler from non-admin users
- Unexpected plugin installation/activation events
- Access to SendWP configuration endpoints by low-privileged users
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with suspicious action parameters
- Unexpected outbound connections to SendWP services
SIEM Query:
source="wordpress.log" AND (action="ninja_forms_sendwp_remote_install_handler" OR plugin="sendwp") AND user_role!="administrator"🔗 References
- https://wpscan.com/vulnerability/55fde9fa-f6cd-4546-bee8-4acc628251c2
- https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/
- https://wpscan.com/vulnerability/55fde9fa-f6cd-4546-bee8-4acc628251c2
- https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/
