Do you run a WordPress site?  Do you also use the popular forms design and management plugin called NinjaForms?  If you answered yes to both of those questions, be aware that NinjaForms was recently found to have a critical security flaw.

The flaw takes the form of a code injection vulnerability and impacts all versions of NinjaForms from 3.0 forward.  With more than a million installations to its name, that makes the newly discovered bug a problem indeed.

To their credit, the company behind the plugin moved quickly and issued an update which should have auto-installed on your system.

Chloe Chamberland is a researcher at Wordfence Threat Intelligence.

Chloe had this to say about the security flaw:

“We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection.

This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.”

The security patch was auto applied to more than 730,000 NinjaForms installations.  While that’s excellent, it’s clear that some admins don’t take kindly to auto-applied patches of any sort and have taken active countermeasures against such things.

If your company is one of those, you’ll need to install the latest version of NinjaForms as soon as possible. If you’re not sure you use it, check with your IT staff, and make them aware of the issue.

This isn’t the first time WordPress has taken away user agency in the name of security.  For instance, in 2019 the Jetpack plugin received a critical security update that corrected how the plugin processed embedded code.  The company didn’t make a fuss over it, they simply updated everyone’s Jetpack to the latest (safer) version.

Kudos to WordPress and the developers of NinjaForms for their rapid response in this instance. Kudos for keeping the web relatively safe.

Related Posts - TKS Blog

TKS Newsletter - 2025 March
Here's our March 2025 Newsletter Read the full PDF version here: The TKS Sentinel - March Issue In this month's edition, we discuss: Cybersecurity Planning Microsoft Trashes...
Read more
successful data backupssuccessful data backups
Tips For A Foolproof Data Backup Strategy
Your small to mid-sized business is thriving. Sales are up, customer engagement is growing, and operations are running smoothly. But then, disaster strikes. It could...
Read more
why you need data backupswhy you need data backups
The Ultimate Guide to Business Backup and Disaster Recovery
Businesses today rely on an intricate web of digital technology to operate, grow, and achieve their goals. But what happens when disaster strikes? Without a...
Read more
TKS Newsletter - 2025 February
Here's our February 2025 Newsletter Read the full PDF version here: The TKS Sentinel - February Issue In this month's edition, we discuss: Work-Specific Tools Windows 11...
Read more

Used with permission from Article Aggregator