Over a Million WordPress Sites Forcibly Updated to Patch a Critical Plugin Vulnerability – The Hacker News

WordPress websites using a widely used plugin named Ninja Forms have been updated automatically to remediate a critical security vulnerability that’s suspected of having been actively exploited in the wild.
The issue, which relates to a case of code injection, is rated 9.8 out of 10 for severity and affects multiple versions starting from 3.0. It has been fixed in, 3.1.10, 3.2.28,,,, and 3.6.11.
Ninja Forms is a customizable contact form builder that has over 1 million installations.
According to Wordfence, the bug “made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection.”
“This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate [property oriented programming] chain was present,” Chloe Chamberland of Wordfence noted.
Successful exploitation of the flaw could allow an attacker to achieve remote code execution and completely take over a vulnerable WordPress site.
Users of Ninja Forms are advised to ensure that their WordPress sites are updated to run the latest patched version to prevent any possible exploitation attempts in the wild.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.


Hire me on the World’s Leading Online Marketplace Freelancer.com to design your website. Additional services like- graphic design, virtual assistance, SEO, Data entry, etc are available. Click on This Link to start your project

Write a comment