WordPress sites using Ninja Forms, a forms builder plugin with more than 1 million installations, have been force-updated this week to a new build that addresses a critical security vulnerability. The vulnerability is a code injection vulnerability affecting multiple Ninja Forms releases, starting with version 3.0 and up.
This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.
About this vulnerability:
This vulnerability is being actively exploited in the wild .
Ninja Forms is a popular WordPress plugin designed to enhance WordPress sites with easily customizable forms.
This flaw has been fully patched in versions 18.104.22.168, 3.1.10, 3.2.28, 22.214.171.124, 126.96.36.199, 188.8.131.52, and 3.6.11.
WordPress appears to have performed a forced automatic update for this plugin, so that site may already be using one of the patched version. Nonetheless, Researchers strongly recommend to update one of the patched version.
According to Ninja Forms’ downloads stats,
The security update has been rolled out over 730,000 times since the patch was released.
Fixed Versions for WordPress
Ninja Forms Versions 184.108.40.206, 3.1.10, 3.2.28, 220.127.116.11, 18.104.22.168, 22.214.171.124, and 3.6.11