WordPress Plug-in Ninja Forms Issues Update for Critical Bug
The code injection vulnerability is being actively exploited in the wild, researchers say.
A new security update to the Ninja Forms WordPress plug-in — which has more than 1 million active installations — patches a code injection vulnerability researchers say is being actively exploited in the wild.
The Wordfence team analyzed a recent Ninja Forms update and discovered the patch was for a critical code injection bug that could allow several exploits, including remote code execution (RCE) through deserialization of the content provided by users of the WordPress site form builder.
Wordfence analysts note WordPress has pushed out a forced automatic update for the Ninja Forms plug-in; however, they suggest administrators double check they're running the latest versions, 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.
"We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection," the Wordfence research team wrote in its advisory about the Ninja Forms bug. This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.
About the Author(s)
You May Also Like
Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024Finding Your Way on the Path to Zero Trust
May 22, 2024Extending Access Management: Securing Access for all Identities, Devices, and Applications
June 4, 2024Assessing Software Supply Chain Risk
June 6, 2024Preventing Attackers From Wandering Through Your Enterprise Infrastructure
June 19, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024