December 5, 2023

A critical Ninja Forms plugin vulnerability that appears to have been exploited in the wild has been affecting millions of wordpress sites.

Advertisements

The exploited security issue, which was identified in the Merge Tag functionality of the plugin, does not have a CVE identifier yet, but with a CVSS score of 9.8.

With this bug, it was possible to call various Ninja Form classes and abuse them for a wide range of exploits targeting vulnerable WordPress sites. Also the manner in which NF_MergeTags_Other  class handles Merge Tags makes it possible for unauthenticated attackers to supply Merge Tags.

The Ninja Forms plugin contains various classes and functions that could be leveraged as part of multiple exploit chains.

Advertisements

The vulnerability was addressed earlier this week with the release of Ninja Forms versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.

WordPress apparently performed a forced update, meaning that the impacted websites should already be on a patched version. Administrators are advised to check their Ninja Forms iterations to make sure they use a fixed version.

Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

DanaBot Trojan Deploying Cactus Ransomware

December 4, 2023

LogoFAIL Firmware Attack

December 3, 2023

Proliance Surgeons Discloses a Data Breach

December 3, 2023

23andMe Breach affected 14K Customers

December 3, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – November, 2023

December 2, 2023

Staples affected by a Cyber Attack

December 2, 2023
%d