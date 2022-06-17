Ninja Forms is a WordPress plugin with over a million active installs, which means there are over a million websites whose contact forms are using its technology.

Now the Wordfence Threat Intelligence team has published an article detailing a security update that has been made, one so important that it cannot be passed by, so if you use Ninja Forms, an excellent solution, by the way, it is important that you use the latest version to avoid problems.

This is a code injection vulnerability, which means that attackers can make calls to various methods on various Ninja Forms classes, bypassing the normal process a user would do. In this way the hacker could execute arbitrary code or delete arbitrary files from the website where it was installed.

There are currently proven cases indicating that this vulnerability is being actively exploited, which is why Wordfence is warning users (although not everyone uses Wordfence).

Ninja Forms helps create easily customizable forms, and allows you to add “Merge Tags” to auto-populate values ​​from other areas of WordPress, such as Post IDs and Logged In Usernames. This was the function that had problems, the one that needed to be reworked.

The problem is already fixed in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4 and 3.6.11, and it seems that WordPress has done a forced automatic update for this plugin, but it is important to verify it.

The details of the problem are in this article, where they conclude the same as us: update before it’s too late.