Chain of Events: 2.9.29 – 2.9.33

Synopsis

Over the past two weeks a handful of minor updates have been released in response to a reported* possible security vulnerability in Ninja Forms v2.9.28. While the vulnerability was quickly patched, the over zealous tightening of security caused unintended changes to field processing in other parts of the plugin. Specifically, the data filtering was creating false positives in other wise safe user submitted content. Each subsequently reported issues was patched quickly to provide the shortest down time possible.

During the cycle of releases our intention of quickly patching security vulnerabilities was at the cost of our code review process. We skipped steps without the fallback of automatic testing, which lead to additional issues in the codebase. This is not normal practice for Ninja Forms deployment, but comes at a point in time where we are actively maintaining one version of the plugin while re-writing the features from the ground up.

While this is an explanation of the recent chain of events, it is not meant to excuse our oversight in deployment procedures. Instead, we are putting in place a more consistent process along with automated testing with Ninja Forms 3.0.

Timeline

Monday, November 16th, 2015

  • 3:28 PM: Screencast proof of reflection XSS submitted by tBm.

Tuesday, November 17th, 2015

  • 10:24 AM: Security vulnerability replicated and reported to development team.
  • 11:04 AM: Pushed commit to patch security vulnerability (15bfb85f77ecef039729048c3d3bc4675e18bd6b).

Wednesday, November 18th, 2015

  • 10:13 AM: CVE submitted to https://cve.mitre.org/

Monday, December 8th, 2015

  • 3:54 PM: Version 2.9.29 released and submitted to WordPress Plugin Repository.

Friday, December 11th, 2015

  • 11:34 PM: Version 2.9.30 released and submitted to WordPress Plugin Repository.

Wednesday, December 16th, 2015

  • 11:38 AM: Version 2.9.31 released and submitted to WordPress Plugin Repository.

Monday, December 21st, 2015

  • 3:34 PM: Version 2.9.32 released and submitted to WordPress Plugin Repository.

Tuesday, December 22nd, 2015

  • 10:40 AM: Version 2.9.33 released and submitted to WordPress Plugin Repository.

Lessons Learned

In order to prevent security issues like those patched above, the following precautions will be taken in the future:

  • Continue to develop with known security vulnerabilities in mind.
  • Continuously test for previously know security vulnerabilities.

In order to prevent negative impact to users sites forms in the future, the following steps will be completed before each major and minor Ninja Forms release:

  • “Kitchen Sink” form testing with all field types.
  • More intentional code review on pull requests before deployment.

Summary/Apology

We are incredibly sorry for the time, business, and other losses any of our users may have incurred as a result of this release. We responded to these issues as quickly as we were able to, and were able to restore full functionality to our impacted users in less than 24 hours.

We have heard both your praise and complaints and have taken note of each one. We believe the measures listed above will prevent any similar issues from occurring in the future and hope that we can work to earn your trust as we continue to develop Ninja Forms.

Looking forward, we want to make a promise to our users, collaborating developers, and our support team: the stability of Ninja Forms is a core focus of our development process. We will strive to implement security patches, new features, and bug fixes in a manor that leads to trust and responsiveness. Security fixes will be responsible and deployed in a timely manner, while maintaining the integrity of the Ninja Forms code base.

If you have any questions, concerns, or would like to discuss the recently patched security vulnerability, please feel free to contact our development team using the comment form below.


* The reflective XSS vulnerability was reported by tBm.