Thousands of WordPress sites force updated to fix dangerous security flaw

By Scott Marlette Last updated Jun 18, 2022

A hugely popular forms builder plugin for the WordPress website builder (opens in new tab) with more than a million installations is vulnerable to a high-severity flaw that could allow threat actors complete website takeover.

Ninja Forms has recently released a new patch, which when reverse-engineered, included a code injection vulnerability (opens in new tab) that affected all versions from 3.0 upwards.

According to Wordfence threat intelligence lead Chloe Chamberland, remotely executing code via deserialization allows threat actors to completely take over a vulnerable site.

Evidence of abuse

“We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” Chamberland said.

“This could allow attackers to execute arbitrary code (opens in new tab) or delete arbitrary files on sites where a separate POP chain was present.”

To make things even worse, the flaw was observed being abused in the wild, Wordfence further found.

The patch was force-pushed to the majority of the affected sites, BleepingComputer further found. Looking at the download statistics for the patch, more than 730,000 websites have already been patched. While the number is encouraging, it still leaves hundreds of thousands of vulnerable sites.

Those that use Ninja Forms and haven’t updated it yet, should apply the fix manually, as soon as possible. That can be done from the dashboard, and admins should make sure their plugin is updated to version 3.6.11.

This is not the first time a high-severity flaw was found in Ninja Forms. Roughly two years ago, all versions of the plugin up to 3.4.24.2 were found to have been affected by the Cross-Site Request Forgery (CSRF) vulnerability. This one could have been used to launch Stored Cross-Site Scripting (Stored XSS) attacks on user’s WordPress (opens in new tab) sites, essentially taking them over.

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.