About 1 million WordPress sites received a forced update due to a critical vulnerability


WordPress sites using the Ninja Forms plugin (more than 1 million installations), received a forced update that fixes a critical code injection vulnerability affecting several Ninja Forms releases (starting with version 3.0).

According to Wordfence threat analyst Ramuel Gall, an unauthorized attacker can remotely invoke various Ninja Forms classes by exploiting a vulnerability in the Merge Tags feature. As a result, a cybercriminal can gain full control over a vulnerable site. One of the exploit chains allows remote code execution through deserialization, which leads to a complete compromise of the site. Another attack option allows you to delete arbitrary files from the resource.

According to Ninja Forms download statistics, the security update has been installed more than 730,000 times since the patch was released. If the plugin has not been updated automatically, the user can manually install the security update from the control panel (the latest fixed version is 3.6.11).

Start a discussion …