CVE-2021-24889 – This SQL injection vulnerability in the Ninja F... (How to Fix)

Q: What is the severity of CVE-2021-24889?

CVE-2021-24889 has a CVSS score of 7.2 (HIGH). This SQL injection vulnerability in the Ninja Forms Contact Form WordPress plugin allows authenticated administrators to execute arbitrary SQL commands. It affects WordPress sites running Ninja Forms versions before 3.6.4, potentially leading to data theft, modification, or complete database compromise.

📋 TL;DR

This SQL injection vulnerability in the Ninja Forms Contact Form WordPress plugin allows authenticated administrators to execute arbitrary SQL commands. It affects WordPress sites running Ninja Forms versions before 3.6.4, potentially leading to data theft, modification, or complete database compromise.

💻 Affected Systems

Products:

Ninja Forms Contact Form WordPress Plugin

Versions: All versions before 3.6.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator-level WordPress user account to exploit. Affects all WordPress installations using vulnerable plugin versions.

📦 What is this software?

Ninja Forms by Ninjaforms

View all CVEs affecting Ninja Forms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive user data, admin credential theft, and potential site takeover via privilege escalation.

🟠

Likely Case

Data exfiltration of form submissions, user information, and potentially other WordPress database content.

🟢

If Mitigated

Limited impact due to proper access controls and monitoring detecting unusual admin activity.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated admin access. Public proof-of-concept exists demonstrating SQL injection via fields parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.4

Vendor Advisory: https://wpscan.com/vulnerability/55008a42-eb56-436c-bce0-10ee616d0495

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Ninja Forms plugin. 4. Click 'Update Now' if update available. 5. If no update shows, manually download version 3.6.4+ from WordPress.org.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate ninja-forms

Admin Access Restriction

all

Temporarily restrict admin panel access to trusted IPs only

🧯 If You Can't Patch

Implement strict principle of least privilege for WordPress admin accounts
Enable database query logging and monitor for unusual SQL patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Ninja Forms version number

Check Version:

wp plugin get ninja-forms --field=version

Verify Fix Applied:

Confirm Ninja Forms version is 3.6.4 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in WordPress/database logs
Multiple admin-level form submissions with unusual parameters

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with fields parameter containing SQL syntax

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND "fields=" AND ("SELECT" OR "UNION" OR "INSERT" OR "UPDATE")

📊 Metadata

CVE ID: CVE-2021-24889

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 29, 2021

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/55008a42-eb56-436c-bce0-10ee616d0495 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/55008a42-eb56-436c-bce0-10ee616d0495 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24889, you might also want to check these: