Site icon The Cybersecurity Daily News

WordPress sites updated automatically to fix a critical Plugin flaw

Critical vulnerability
Jupiter Theme

WordPress websites using a popular plugin named Ninha Forums have been automatically updated to fix a critical flaw, and the flaw has been widely exploited in the wild.

The problem comes from code injection and is rated 9.8 out of 10 for severity; it impacts version 3.0 onwards. It has been fixed in 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.

Ninja Forms is a customizable contact form builder that has over 1 million installations.

According to Wordfence, the bug “made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection.”

“This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate [property oriented programming] chain was present,” Chloe Chamberland of Wordfence noted.

If the flaw is successfully exploited, the attacker can achieve remote code execution and take over a vulnerable WordPress site. 

Ninja Forms users are suggested to update their WordPress sites to the latest patched version if not already. 

Reference

https://thehackernews.com/2022/06/over-million-wordpress-sites-forcibly.html

Exit mobile version