The Wordfence Threat Intelligence team discovered a back-ported security update in June affecting the Ninja Forms plugin.
The Wordfence Threat Intelligence team discovered a back-ported security update in June affecting the Ninja Forms plugin.
The vulnerability has been rated with a CVSS score of 9.8. The security researchers believe this vulnerability has been actively exploited in the wild.
WordPress released a patch for the vulnerability that was automatically applied to the sites running several different versions of the plug-in.
“One feature of Ninja Forms is the ability to add “Merge Tags” to forms that will auto-populate values from other areas of WordPress like Post IDs and logged-in user’s names. Unfortunately, this functionality had a flaw that made it possible to call various Ninja Form classes that could be used for a wide range of exploits targeting vulnerable WordPress sites,” reads the advisory published by Wordfence.
WordPress released a patch that was automatically applied to sites running the following versions of the plug-in 3.0.3 4.2, 3.1.10, 3.2.28, 3.3.2 1.4, 3.4.3 4.2, 3.5.8.4 and 3.6.11.
WordFence stated that WordPress users should implement the patch as soon as possible since automatic updates are not always successful.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?