Do you run a WordPress site?  Do you also use the popular forms design and management plugin called NinjaForms?  If you answered yes to both of those questions, be aware that NinjaForms was recently found to have a critical security flaw.

The flaw takes the form of a code injection vulnerability and impacts all versions of NinjaForms from 3.0 forward.  With more than a million installations to its name, that makes the newly discovered bug a problem indeed.

To their credit, the company behind the plugin moved quickly and issued an update which should have auto-installed on your system.

Chloe Chamberland is a researcher at Wordfence Threat Intelligence.

Chloe had this to say about the security flaw:

“We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection.

This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.”

The security patch was auto applied to more than 730,000 NinjaForms installations.  While that’s excellent, it’s clear that some admins don’t take kindly to auto-applied patches of any sort and have taken active countermeasures against such things.

If your company is one of those, you’ll need to install the latest version of NinjaForms as soon as possible. If you’re not sure you use it, check with your IT staff, and make them aware of the issue.

This isn’t the first time WordPress has taken away user agency in the name of security.  For instance, in 2019 the Jetpack plugin received a critical security update that corrected how the plugin processed embedded code.  The company didn’t make a fuss over it, they simply updated everyone’s Jetpack to the latest (safer) version.

Kudos to WordPress and the developers of NinjaForms for their rapid response in this instance. Kudos for keeping the web relatively safe.

Related Posts - TKS Blog

TKS Newsletter - 2024 December
Here's our December 2024 Newsletter Read the full PDF version here: The TKS Sentinel - December Issue In this month's edition, we discuss: Ransomware Threats PDF Hijacking ...
Read more
voice technology options
Harnessing the Power of Voice Technology
Voice technology is quickly becoming one of the most valuable tools for businesses seeking to improve customer interactions, streamline operations, and cut costs. With...
Read more
TKS Newsletter - 2024 November
Here's our November 2024 Newsletter Read the full PDF version here: The TKS Sentinel - November Issue In this month's edition, we discuss: Dark Web/Work Laptop ActiveX Controls ...
Read more
tips for troubleshooting computer issues
6 Tips To Troubleshoot Network Issues
Identifying The Source - Fast A business network is the lifeblood of operations. The digital artery pumps data through your organization. It enables everything from email...
Read more

Used with permission from Article Aggregator