Ninja Forms – The Contact Form Builder That Grows With You

{
    "slug": "ninja-forms",
    "finding_count": 3,
    "findings": [
        {
            "pattern": "remote_enqueue",
            "kind": "builtin",
            "file": "includes/Display/Render.php",
            "line": 848,
            "snippet": "wp_enqueue_script('nf-google-recaptcha', 'https://www.google.com/recaptcha/api.js?hl=' . $recaptcha_lang . '&onload=nfRenderRecaptcha&render=explicit', array( 'jquery', 'nf-front-end-deps'",
            "confidence": "medium",
            "details": {
                "url": "https://www.google.com/recaptcha/api.js?hl=",
                "url_host": "www.google.com"
            }
        },
        {
            "pattern": "remote_enqueue",
            "kind": "builtin",
            "file": "includes/Display/Render.php",
            "line": 856,
            "snippet": "wp_enqueue_script('nf-hcaptcha', 'https://js.hcaptcha.com/1/api.js?render=explicit', array( 'jquery', 'nf-front-end-deps' ), null, TRUE );",
            "confidence": "medium",
            "details": {
                "url": "https://js.hcaptcha.com/1/api.js?render=explicit",
                "url_host": "js.hcaptcha.com"
            }
        },
        {
            "pattern": "remote_enqueue",
            "kind": "builtin",
            "file": "includes/Actions/Recaptcha.php",
            "line": 306,
            "snippet": "wp_enqueue_script('nf-google-recaptcha', 'https://www.google.com/recaptcha/api.js?hl=' . $recaptcha_lang . '&render=' . $this->site_key, array('jquery'), '3.0', true);",
            "confidence": "medium",
            "details": {
                "url": "https://www.google.com/recaptcha/api.js?hl=",
                "url_host": "www.google.com"
            }
        }
    ],
    "resolved_sha": "856dd54305420a550a8a0aee0f62a442431e1a80"
}

{
    "slug": "ninja-forms",
    "committer_slug": "ericwindhamsd",
    "committer_display_name": "ericwindhamsd",
    "committer_employer": null,
    "committer_member_since": "2017-12-12",
    "committer_first_commit": "2018-07-31 16:12:04",
    "committer_commit_count": 3,
    "plugin_listed_author": "kstover",
    "earliest_plugin_commit": "2015-03-03 18:25:22",
    "plugin_age_at_join_days": 1245,
    "committer_age_at_join_days": 231,
    "active_installs": 600000
}

{
    "slug": "ninja-forms",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "3.14.2",
    "hit_count": 5,
    "first_hit": {
        "file": "includes/Admin/Menus/ImportExport.php",
        "line": 128,
        "snippet": "L111: $import = file_get_contents( $_FILES[ 'nf_import_fields' ][ 'tmp_name' ] );  \u2192  L128: $return = unserialize($serializedValue,['allowed_classes'=>false]);"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*`/`curl_exec`/`file_get_contents`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak."
}

{
    "slug": "ninja-forms",
    "previous_version": "3.14.2",
    "current_version": "3.14.2",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/Admin/Menus/ImportExport.php",
            "line": 128,
            "snippet": "L111: $import = file_get_contents( $_FILES[ 'nf_import_fields' ][ 'tmp_name' ] );  \u2192  L128: $return = unserialize($serializedValue,['allowed_classes'=>false]);",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/Integrations/EDD/EDD_SL_Plugin_Updater.php",
            "line": 426,
            "snippet": "L419: $request    = wp_remote_post( $this->api_url, array( 'timeout' => 15, 'sslverify' => $ve  \u2192  L426: $request->sections = maybe_unserialize( $request->sections );",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/Integrations/EDD/EDD_SL_Plugin_Updater.php",
            "line": 432,
            "snippet": "L419: $request    = wp_remote_post( $this->api_url, array( 'timeout' => 15, 'sslverify' => $ve  \u2192  L432: $request->banners = maybe_unserialize( $request->banners );",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/Integrations/EDD/EDD_SL_Plugin_Updater.php",
            "line": 436,
            "snippet": "L419: $request    = wp_remote_post( $this->api_url, array( 'timeout' => 15, 'sslverify' => $ve  \u2192  L436: $request->icons = maybe_unserialize( $request->icons );",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/Integrations/EDD/EDD_SL_Plugin_Updater.php",
            "line": 494,
            "snippet": "L486: $request    = wp_remote_post( $this->api_url, array( 'timeout' => 15, 'sslverify' => $v  \u2192  L494: $version_info->sections = maybe_unserialize( $version_info->sections );",
            "confidence": "high"
        }
    ],
    "new_finding_count": 5
}