WordPress websites using a popular plugin named Ninha Forums have been automatically updated to fix a critical flaw, and the flaw has been widely exploited in the wild.
The problem comes from code injection and is rated 9.8 out of 10 for severity; it impacts version 3.0 onwards. It has been fixed in 18.104.22.168, 3.1.10, 3.2.28, 22.214.171.124, 126.96.36.199, 188.8.131.52, and 3.6.11.
Ninja Forms is a customizable contact form builder that has over 1 million installations.
According to Wordfence, the bug “made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection.”
“This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate [property oriented programming] chain was present,” Chloe Chamberland of Wordfence noted.
If the flaw is successfully exploited, the attacker can achieve remote code execution and take over a vulnerable WordPress site.
Ninja Forms users are suggested to update their WordPress sites to the latest patched version if not already.