• Oxford: +44 (0)1865 877830 
  • Manchester: +44 (0)161 713 0176 
  • Edinburgh: +44 (0)131 541 0118 
  • New York: +1 646-781-7580 
  • Bucharest: +40 316 301 707 
  • Tokyo: +81 (3) 4588 8181 

Ninja Forms WordPress Plugin Cross-Site Scripting

You are here



Ninja Forms WordPress Plugin Cross-Site Scripting

During the course of a web application penetration test I was faced with the Ninja Forms WordPress plugin. I found that version 2.8.8 of the Ninja Forms plugin, which was the latest version at the time of undertaking the penetration test, was vulnerable to cross-site scripting.

The vulnerability was found in the success notification message of the contact form, which the Ninja Forms plugin displays in the users’ browser after users successfully submit their details. As an example, the plugin can be configured to only show the username field in the message notification, as can be seen below for username "Pentester":


The following proof of concept shows how JavaScript can be injected using the field name "ninja_forms_field_1", by sending the following crafted HTTP request.

POST http://www.example.com/wp-admin/admin-ajax.php?action=ninja_forms_ajax_s...

ninja_forms_field_1=<b onmouseover=alert('XSS!')>TEST</b>

The cross-site scripting payload is then executed in the notification message when users pass their mouse over the username "TEST", as shown below:


Further to this, I wondered whether or not the vulnerability affected the WordPress admin panel, which may allow an attacker to get access to the admin panel.

Whilst an anonymous user could not target an administrator through the contact form in order to escalate their privileges, I found that the plugin was indeed vulnerable to stored cross-site scripting between WordPress administrators.

This issue can be exploited when administrator users with access to the Ninja Forms submissions list attempt to edit the user submitted values, such as the "Name" field. The following proof of concept example shows how an administrator can modify the value in the "Name" field "fields[1]" to contain JavaScript, as shown below:

POST http://www.example.com/wp-admin/post.php


If another administrator view the submissions list page, and passes their mouse over the value "Pentest", the script will be executed, as shown below.


The Ninja Forms plugin developers have released a patch to resolve this issue as part of version 2.8.10. More information about the latest version of Ninja Forms WordPress plugin can be found at the following URL: https://wordpress.org/plugins/ninja-forms/

Posted by Sergio

Leave a comment