Ninja Forms WordPress Plugin Unauthenticated PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Ninja Forms WordPress plugin, affecting versions prior to 3.11.1. The issue arises because the plugin unserializes user input from form fields, which could enable unauthenticated users to inject malicious objects, provided a suitable gadget is available on the blog.

Impact

Exploitation of this vulnerability allows for PHP Object Injection, which can lead to arbitrary code execution or other malicious actions, depending on the injected object and the application's context.

Reproduction

To reproduce this vulnerability, install the Ninja Forms WordPress plugin and create a form that includes a Repeatable Fieldset field. Insert the form into a page or post. Then, access the form page in anonymous mode and submit it. Intercept the request using a proxy tool like Burp Suite and replace the value of the 'Repeatable Fieldset' field with a crafted payload that exploits the unserialization vulnerability. Once submitted, the injected object will be processed by the server, demonstrating the PHP Object Injection.

Remediation

Users are advised to update the Ninja Forms WordPress plugin to version 3.11.1 or later.