Security
Headlines
HeadlinesLatestCVEs

Headline

Over a Million WordPress Sites Forcibly Updated to Patch a Critical Plugin Vulnerability

WordPress websites using a widely used plugin named Ninja Forms have been updated automatically to remediate a critical security vulnerability that’s suspected of having been actively exploited in the wild. The issue, which relates to a case of code injection, is rated 9.8 out of 10 for severity and affects multiple versions starting from 3.0. It has been fixed in 3.0.34.2, 3.1.10, 3.2.28,

The Hacker News
#vulnerability#web#wordpress#rce#auth#The Hacker News

WordPress websites using a widely used plugin named Ninja Forms have been updated automatically to remediate a critical security vulnerability that’s suspected of having been actively exploited in the wild.

The issue, which relates to a case of code injection, is rated 9.8 out of 10 for severity and affects multiple versions starting from 3.0. It has been fixed in 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.

Ninja Forms is a customizable contact form builder that has over 1 million installations.

According to Wordfence, the bug “made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection.”

“This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate [property oriented programming] chain was present,” Chloe Chamberland of Wordfence noted.

Successful exploitation of the flaw could allow an attacker to achieve remote code execution and completely take over a vulnerable WordPress site.

Users of Ninja Forms are advised to ensure that their WordPress sites are updated to run the latest patched version to prevent any possible exploitation attempts in the wild.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

The Hacker News: Latest News

North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS