Last week WordPress patched a critical NinjaForms vulnerability shortly after it emerged that malicious hackers were actively exploiting the vulnerability in the wild. WordPress.org forced the security update on over one million at-risk websites adopting the NinjaForms plugin, temporarily.
In a statement released by Wordfence, they uncovered a code injection vulnerability that “could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.”
“We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection.”
Said differently, attackers were using a loop hole in the NinjaForms plugin to gain access to and complete control of websites to executive malicious code of their choice. Brutal. This is the world we live in but at least for now we can all rest assured nerds will keep saving it.
This update comes just one week after Ninja Forms patched a less severe, authenticated stored cross-site scripting (XSS) vulnerability on June 7.