A critical severity Arbitrary File Upload vulnerability has been discovered in the WordPress WooCommerce Ninja Forms Product Add-ons plugin. This vulnerability could allow a malicious actor to upload any type of file to the website, including backdoors which can then be executed to gain further access to the affected website.

This vulnerability was discovered and reported by Alexander Concha.

The vulnerability is caused by a lack of input validation in the plugin’s code. This allows an attacker to upload malicious files to the website, which are then executed when visitors visit the site.

The vulnerability has been fixed in version 1.7.1 of the WordPress WooCommerce Ninja Forms Product Add-ons plugin. Users who are running an older version of the plugin should update to the latest version as soon as possible.

Severity:

Critical

The vulnerability has a CVSS 3.1 score of 10.0, which is considered to be a critical severity. This means that the vulnerability is highly likely to be exploited and could have a devastating impact on the affected system.

Affected Versions:

All versions of the WordPress WooCommerce Ninja Forms Product Add-ons plugin prior to 1.7.1 are affected by this vulnerability.

Impact:

An attacker who successfully exploits this vulnerability could upload any type of file to your website, including backdoors which can then be executed to gain further access to your website. This could allow the attacker to steal sensitive data, modify website content, or take control of the affected website.

Recommendation:

Update the WordPress WooCommerce Ninja Forms Product Add-ons plugin to the latest available version (at least 1.7.1).

Given the critical nature of this vulnerability, immediate action is non-negotiable for safeguarding the website:

  1. Update the Plugin: Swiftly update the WooCommerce Ninja Forms Product Add-ons Plugin to the latest available version, ensuring it is at least version 1.7.1. This update incorporates crucial security fixes to remedy the Arbitrary File Upload vulnerability.
  2. Regular Plugin Updates: Beyond this specific update, make it a habit to consistently update all WordPress plugins and themes to their most current versions. This proactive measure is pivotal for the website’s security.
  3. Implement Additional Security Measures: Consider fortifying your website’s security by introducing extra layers of defense, including web application firewalls (WAFs), strong authentication protocols, and routine security audits. A comprehensive security strategy is your best defense against potential threats.