1 min read

WordPress Forcibly Updates Over a Million Websites to Fix Critical Plugin Flaw

Vlad CONSTANTINESCU

June 17, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
WordPress Forcibly Updates Over a Million Websites to Fix Critical Plugin Flaw

Over 1 million WordPress websites using the Ninja Forms plugin have been automatically updated to prevent a potential high-severity security flaw suspected of being exploited in the wild.

The vulnerability, which has yet to receive a CVE ID, has a CVSS score of 9.8 (critical severity) and affects several versions of Ninja Forms, starting from 3.0. The flaw has been fixed in some versions, namely:

  • Fully patched versions - 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, 3.6.11

While they didn’t disclose any incident tied to this exploit, the company said it has evidence that the flaw is being exploited.

Ninja Forms is a customizable drag-and-drop WordPress form builder installed by more than a million customers. The vulnerable plugin could reportedly let unauthenticated threat actors call various methods through Ninja Form classes, “including a method that unserialized user-supplied content, resulting in Object Injection."

Upon exploiting the flaw, attackers could remotely execute arbitrary code, delete files, and take over vulnerable sites completely.

“One feature of Ninja Forms is the ability to add ’Merge Tags‘ to forms that will auto-populate values from other areas of WordPress like Post IDs and logged in user’s names,” according to Wordfence. “Unfortunately, this functionality had a flaw that made it possible to call various Ninja Form classes that could be used for a wide range of exploits targeting vulnerable WordPress sites.”

Wordfence urges Ninja Forms users to ensure that their websites are running one of the patched versions, despite WordPress’ efforts to deploy automatic updates.

“WordPress appears to have performed a forced automatic update for this plugin, so your site may already be using one of the patched version,” Wordfence’s PSA reads. “Nonetheless, we strongly recommend ensuring that your site has been updated to one of the patched versions as soon as possible since automatic updates are not always successful.”

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Flaw allowed man to access private information of other Brinks Home Security customers Flaw allowed man to access private information of other Brinks Home Security customers
Graham CLULEY

November 30, 2022

2 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps Enhance your cyber resilience and privacy on Computer Security Day in four easy steps
Alina BÎZGĂ

November 29, 2022

2 min read
Hackers Steal Crime Files in Attack on Belgian Police Station, Then Demand Ransom Hackers Steal Crime Files in Attack on Belgian Police Station, Then Demand Ransom
Filip TRUȚĂ

November 28, 2022

2 min read