FOSS Force has just learned from Wordfence, a security company that focuses on the open source WordPress content management platform, that a popular plugin used by over 500,000 sites, Ninja Forms, contains serious security vulnerabilities.
In a blog post on Thursday morning, Wordfence writes:
Ninja Forms versions 2.9.36 to 2.9.42 contain multiple vulnerabilities. One of the vulnerabilities results in an attacker being able to upload and execute a shell on WordPress sites using Ninja Forms. We have developed a working exploit for internal use at Wordfence. The only information the exploit needs is a URL on the target site that has a form powered by Ninja Forms version 2.9.36 to 2.9.42.
Users of the paid professional version of Wordfence are already protected from the vulnerability. According to Wordfence, WordPress is now preparing to push a patch to all sites using the plugin that have enabled automatic updates for plugins. Other sites using the plugin are advised to update the plugin immediately.