Japan Vulnerability NotesJVN:44657371JVN#44657371: WordPress plugin "Ninja Forms" vulnerable to PHP object injection
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.0%
WordPress plugin “Ninja Forms” contains a PHP object injection vulnerability due to a flaw where untrusted POST values are unserialized.
Impact
A remote attacker may execute an arbitrary PHP code.
Solution
Update the Software
Update to a version that addresses the vulnerability according to the information provided by the developer.
The developer states that versions 2.9.43 and .1 versions of 2.9.36 through 2.9.42 address this vulnerability (e.g. 2.9.36.1, 2.9.37.1, etc.).
Also, the developer suggests updating to version_ _2.9.45, which contains fixes for other vulnerabilities.
Products Affected
- Ninja Forms Version 2.9.36 to 2.9.42
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.0%