(wordfence.com) Critical Arbitrary File Upload Vulnerability in Ninja Forms – File Upload Plugin Under Active Exploitation
-
(wordfence.com) Critical Arbitrary File Upload Vulnerability in Ninja Forms – File Upload Plugin Under Active Exploitation
Critical unauthenticated arbitrary file upload vulnerability in Ninja Forms – File Upload WordPress plugin (CVE pending) actively exploited in the wild. ~50K sites at risk of RCE via path traversal and .htaccess manipulation. Update to 3.3.27+ immediately.
In brief - A severe flaw in the Ninja Forms plugin allows unauthenticated attackers to upload malicious PHP files and .htaccess configurations, leading to full site compromise. Exploitation began on disclosure day, with 118.6K+ blocked attempts. Patch now.
Technically - The vulnerability (no CVE yet) enables unauthenticated attackers to bypass file validation via path traversal in the `nf_fu_upload` AJAX action. Exploits observed include: (1) PDF-disguised PHP webshells with `php_uname()` recon, (2) GIF-header-spoofed minimal shells using `shell_exec()`, and (3) malicious .htaccess files (e.g., `%2ehtaccess`) to execute .txt as PHP. Endpoint: POST `/wp-admin/admin-ajax.php?action=nf_fu_upload`.
-
R relay@relay.infosec.exchange shared this topic
