Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Fix A Code Injection Vulnerability In Ninja Forms WordPress Plugin
June 18, 2022
|
4m

How To Fix A Code Injection Vulnerability In Ninja Forms WordPress Plugin


How To Fix A Code Injection Vulnerability In Ninja Forms Wordpress Plugin

Once again, a critical vulnerability is detected in a WordPress plugin, putting websites at risk. This vulnerability was detected in Ninja Forms WordPress plugin with over one million active installations on June 16, 2022. It’s a code injection vulnerability that allows attackers to completely take over a website by utilizing various exploitation chains. The CVE ID of this vulnerability is not tracked yet. However, it has been rated critical severity with a CVSS score of 9.8. This post is essential for those using Ninja Forms WordPress plugin installed on their websites to understand how to fix the critical code injection vulnerability in Ninja Forms. 

Ninja Forms WordPress Plugin

Ninja Forms WordPress plugin is the most user-friendly contact form builder for creating attractive forms. No coding skills are required to design complex forms like a pro with drag and drop fields. It has easy row and column layouts, conditional forms and multi-page forms. 

This form allows users to upload files and send or export submissions as PDF, Google Sheets, and Microsoft Excel files. Moreover, you can accept credit cards and payments quickly and securely from any of your WordPress forms. It lets you provide your customers with all the options, such as single payments or subscriptions, variable, fixed, or user-entered amounts. 

Here are some additional features of the Ninja Forms WordPress plugin.

  • Easy WordPress GDPR compliance

  • Use pre-built templates to get started fast

  • Mobile responsive and blends easily with a well-designed theme

  • More integrations than any other form builder

Summary Of The Code Injection Vulnerability In Ninja Forms

A critical code injection vulnerability was detected in the WordPress Ninja Forms plugin. This vulnerability made it possible for unauthenticated criminals to call a limited number of methods in several Ninja Forms classes. The method includes unserializing user-supplied data that result in Object Injection. It could allow hackers to execute arbitrary code or delete arbitrary files on websites where a separate 

 was found. 

WordPress seems to force automatic updates for this plugin. It might be possible that your website may already be using one of the patched versions, as this flaw has been patched in various versions.

Associated CVE-ID Pending
CVSS Score 9.8
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score 
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Require (PR)None
User Interaction (UI)None
Scope Unchanged
Confidentiality High
Integrity High
Availability HighHigh

Affected Versions

Here is a list of versions affected by code injection vulnerability in Ninja Forms WordPress Plugin.

  • 3.6-3.6.10

  • 3.5-3.5.8.3

  • 3.4-3.4.34.1

  • 3.3-3.3.21.3

  • 3.2-3.2.27 

  • 3.1-3.1.9 

  • 3.0-3.0.34.1

This vulnerability has been fully patched in the following versions.

  • 3.0.34.2

  • 3.1.10, 3.2.28

  • 3.3.21.4

  • 3.4.34.2

  • 3.5.8.4

  • 3.6.11

How To Fix A Code Injection Vulnerability In Ninja Forms WordPress Plugin?

It is recommended to check whether the Ninja Forms plugin is up to date or not. Its latest version is 3.6.11. Update the plugin to avoid exploitation.

If the force update fails, it means your website is at significant risk. In such a scenario, you need to update the plugin manually using the plugin’s dashboard.

Here are the steps to update the Ninja Forms plugin on your WordPress website.

  1. Log into your WordPress website/

  2. Go to the plugins page and find the Ninja Forms plugin.

  3. Click on ‘Update Now’ next to the plugin.

  4. WordPress will update the plugin, and you will be all set.

If you believe your website has been compromised due to the code injection vulnerability in Ninja Form plugin, get incident response services via Wordfence Care.

We hope this post would help you know how to fix the critical code injection vulnerability in Ninja Forms. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Vulnerabilities

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe