Technology Tips

July 29, 2022

WordPress NinjaForms Plugin Was Force Updated Due To Vulnerability

Written By Securafy Team

Do you run a WordPress site?  Do you also use the popular forms design and management plugin called NinjaForms?  If you answered yes to both of those questions, be aware that NinjaForms was recently found to have a critical security flaw.

The flaw takes the form of a code injection vulnerability and impacts all versions of NinjaForms from 3.0 forward.  With more than a million installations to its name, that makes the newly discovered bug a problem indeed.

To their credit, the company behind the plugin moved quickly and issued an update which should have auto-installed on your system.

Chloe Chamberland is a researcher at Wordfence Threat Intelligence.

Chloe had this to say about the security flaw:

"We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection.

This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present."

The security patch was auto applied to more than 730,000 NinjaForms installations.  While that's excellent, it's clear that some admins don't take kindly to auto-applied patches of any sort and have taken active countermeasures against such things.

If your company is one of those, you'll need to install the latest version of NinjaForms as soon as possible. If you're not sure you use it, check with your IT staff, and make them aware of the issue.

This isn't the first time WordPress has taken away user agency in the name of security.  For instance, in 2019 the Jetpack plugin received a critical security update that corrected how the plugin processed embedded code.  The company didn't make a fuss over it, they simply updated everyone's Jetpack to the latest (safer) version.

Kudos to WordPress and the developers of NinjaForms for their rapid response in this instance. Kudos for keeping the web relatively safe.

Picture of Securafy Team
About The Author
Our team at Securafy brings you the best tech tips, from how-to guides and troubleshooting advice to software reviews and productivity hacks. We're all about empowering businesses with the tools and knowledge they need to thrive in the digital world. Follow our posts to stay equipped with practical insights that make tech work for you.

Join the Conversation

Subscribe to our newsletter

Sign up for our FREE "Cyber Security Tip of the Week!" and always stay one step ahead of hackers and cyber-attacks.