In the Ninja Forms WordPress plugin, the developers have fixed an unspecified security vulnerability with an update released on Tuesday this week. According to the changelog, they have built in “tougher parameter checking” of certain input parameters. The Ninja Forms plug-in is very popular: With over a million active installations, it is one of the most frequently installed blog software extensions.
Critical Ninja Forms vulnerability
However, the seemingly harmless update packs a punch. As the service provider Wordfence, which specializes in WordPress security, found out through reverse engineering, the Ninja Forms authors use it to fix a security hole that attackers can use to execute arbitrary code.
In a blog entry, the security experts describe the vulnerability as a way of injecting your own objects. Using Ninja Forms class methods and other existing plugins, attackers may be able to assemble a “POP Chain” and execute malicious code. According to Wordfence, the vulnerability is already being actively exploited and given a CVSS score of 9.8 (critical).
Administrators of WordPress sites should immediately check whether the plug-in has already been automatically updated and, if necessary, initiate an update manually. The bug is fixed in versions 184.108.40.206, 3.1.10, 3.2.28, 220.127.116.11, 18.104.22.168, 22.214.171.124 and 3.6.11.
To home page
#Fixed #critical #security #vulnerability #Ninja #Forms #WordPress #plugin