The code injection vulnerability is being actively exploited in the wild, researchers say.

Dark Reading Staff, Dark Reading

June 17, 2022

1 Min Read
Man looking at screen displaying WordPress site
Source: Chris Batson via Alamy Stock Photo

A new security update to the Ninja Forms WordPress plug-in — which has more than 1 million active installations — patches a code injection vulnerability researchers say is being actively exploited in the wild. 

The Wordfence team analyzed a recent Ninja Forms update and discovered the patch was for a critical code injection bug that could allow several exploits, including remote code execution (RCE) through deserialization of the content provided by users of the WordPress site form builder. 

Wordfence analysts note WordPress has pushed out a forced automatic update for the Ninja Forms plug-in; however, they suggest administrators double check they're running the latest versions,, 3.1.10, 3.2.28,,,, and 3.6.11.

"We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection," the Wordfence research team wrote in its advisory about the Ninja Forms bug. This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights