730K WordPress Sites Force-Updated To Patch Critical Plugin Bug

WordPress sites using Ninja Forms, a forms builder plugin with more than 1 million installations, have been force-updated en masse this week to a new build that addresses a critical security vulnerability likely exploited in the wild. The vulnerability is a code injection vulnerability affecting multiple Ninja Forms releases, starting with version 3.0 and up.

Wordfence threat analyst Ramuel Gall discovered when reverse-engineering the patch that unauthenticated attackers can exploit this bug remotely to call various Ninja forms classes using a flaw in the Merge Tags feature:

There is evidence to suggest that this vulnerability is being actively exploited in the wild, and as such we are alerting our users immediately to the presence of this vulnerability.

This flaw has been fully patched in versions, 3.1.10, 3.2.28,,,, and 3.6.11.WordPress appears to have performed a forced automatic update for this plugin, so your site may already be using one of the patched version. Nonetheless, we strongly recommend ensuring that your site has been updated to one of the patched versions as soon as possible since automatic updates are not always successful.

Christopher Prewitt, CTO MRK Technologies had this to say:

WordPress and WordPress plugins are always under attack. WordPress is the most popular CMS, powering over 43% of websites. Attackers are always looking to leverage their efforts, getting the most results as possible. 

While WordPress appears to have performed a forced automatic update for this plugin, it is always important to validate and ensure your site and plugins are configured to automatically update.

This is good advice for anyone who runs a WordPress site. Which would include yours truly. I run very few plugins for security reasons. But if you run a WordPress site that might not be your use case. Thus Mr. Prewitt’s advice is something that you should keep in mind.

Leave a Reply

%d bloggers like this: