Critical security vulnerabilities in a WordPress plugin used on around 900,000 websites, allow malicious hackers to steal sensitive information entered on forms.
The vulnerabilities in Ninja Forms were discovered by Patchstack in June 2023, and at the same time were reported responsibly to the plugin's developer Saturday Drive.
The most critical vulnerability allowed users who were website "Subscribers" or "Contributors" to export all data that other users had submitted via the site's forms.
This is particularly a problem because many WordPress sites allow anyone to register as a "Subscriber" or member.
The potential, therefore, for a website running a vulnerable version of the Ninja Forms plugin to suffer a significant data breach is considerable.
On 4 July, Ninja Forms version 3.6.26 was released, seemingly patching the security vulnerabilities.
However, according to Patchstack, the "fix" is incomplete - and still leaves open methods a hacker could deploy to breach data. The vulnerability researchers have offered Saturday Drive assistance in how to properly fix the security holes in Ninja Forms.
Unfortunately, as Patchstack has already released proof-of-concept code of how to exploit the flaw, there is the potential for hackers to take advantage of the fact that many websites running Ninja Forms remain vulnerable and steal sensitive information.
Even if the security flaws have not been completely fixed, administrators of WordPress-powered websites that are using the Ninja Forms plugin would be wise to ensure that they are running the very latest version.
Unfortunately, it is understood that a significant proportion of the 900,000-or-so websites running Ninja Forms have still not updated the plugin.
Alternatively, if you are particularly concerned about a potential breach of your form data, you might be wise to completely disable Ninja Forms for the time-being, and use other methods to collect information from your website visitors.
Ninja Forms is no stranger to security problems. In June 2022, WordPress pushed out a forced security update to the plugin after it was found a vulnerability that could allow hackers to execute code or delete files on sites was being actively exploited by hackers.