Jupiter Theme

WordPress websites using a popular plugin named Ninha Forums have been automatically updated to fix a critical flaw, and the flaw has been widely exploited in the wild.

The problem comes from code injection and is rated 9.8 out of 10 for severity; it impacts version 3.0 onwards. It has been fixed in, 3.1.10, 3.2.28,,,, and 3.6.11.

Ninja Forms is a customizable contact form builder that has over 1 million installations.

According to Wordfence, the bug “made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection.”

“This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate [property oriented programming] chain was present,” Chloe Chamberland of Wordfence noted.

If the flaw is successfully exploited, the attacker can achieve remote code execution and take over a vulnerable WordPress site. 

Ninja Forms users are suggested to update their WordPress sites to the latest patched version if not already.