A new security update to the Ninja Forms WordPress plug-in — which has more than 1 million active installations — patches a code injection vulnerability researchers say is being actively exploited in the wild. 

The Wordfence team analyzed a recent Ninja Forms update and discovered the patch was for a critical code injection bug that could allow several exploits, including remote code execution (RCE) through deserialization of the content provided by users of the WordPress site form builder. 

Wordfence analysts note WordPress has pushed out a forced automatic update for the Ninja Forms plug-in; however, they suggest administrators double check they're running the latest versions, 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.

"We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection," the Wordfence research team wrote in its advisory about the Ninja Forms bug. This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.