More than 700 thousand websites using the platform WordPress It had to be forcefully updated this week to fix it. Critical vulnerability in Ninja Forms plugin, according to a statement released Thursday (16). The flaw was recently spotted by Wordfence experts.
According to the report, the bug allows attackers to execute arbitrary code on the affected page or delete files if the bug is successful. There is evidence of its active use in different types of ongoing cyberattacks.
Very popular with WordPress users, Ninja Forms is available on over 1 million websites and makes it possible to add contact forms to pages. The breach was detected in the Combine Tags feature, but the platform did not provide further details to prevent further abuse.
“We discovered a code injection vulnerability that allows unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that fails to serialize user-supplied content, resulting in object nesting,” the researchers said. The issue affects plug-in versions 3.0 and later.
check your website
Although the update was released automatically, not all WordPress sites received the update. security patch with bug fix. Therefore, the recommendation is for page admins who use the content management system to check the status of the Ninja Forms plugin.
According to the report, the vulnerability was fully fixed in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4 and 3.6.11 of the plugin after the forced update. If your page has not received the update, you can update it manually in the platform’s control panel.
Source: Tec Mundo
