WordPress sites using the Ninja Forms form plugin, which has over a million installs, have received forced updates. The fact is that a critical vulnerability was recently fixed in Ninja Forms, which, apparently, was already under attack by hackers.
The vulnerability found in the plugin is a code injection issue that affects multiple versions of Ninja Forms at once, starting with version 3.0. Wordfence analysts found that unauthenticated attackers could remotely exploit this issue to call various Ninja form classes using a vulnerability in the Merge Tags feature.
As a result, hackers get the opportunity to seize full control over the vulnerable site. For example, one of the chains of exploits allows remote code execution through deserialization, which leads to a complete compromise of the site. Another variant of the attack allows you to remove arbitrary files from the resource.
Wordfence analysts note that the vulnerability appears to be being exploited in ongoing hacker attacks.
Bleeping Computer reports that most of the affected sites were forcibly updated after the vulnerability was patched on June 14, 2022. However, no official statements have been made in this regard yet.
According to Ninja Forms download statistics, the update has been installed over 730,000 times since the release of the patch. All administrators whose sites have bypassed forced updates are advised to install the patch manually by updating the plugin to the secure version 3.6.11.
Let me remind you that this is not the first time that the company behind the development of WordPress, Automattic, releases forced updates to fix any critical bugs. Although in general, the company resorts to this last resort only in rare and extremely serious cases.