May 28, 2023

A critical Ninja Forms plugin vulnerability that appears to have been exploited in the wild has been affecting millions of wordpress sites.

Advertisements

The exploited security issue, which was identified in the Merge Tag functionality of the plugin, does not have a CVE identifier yet, but with a CVSS score of 9.8.

With this bug, it was possible to call various Ninja Form classes and abuse them for a wide range of exploits targeting vulnerable WordPress sites. Also the manner in which NF_MergeTags_Other  class handles Merge Tags makes it possible for unauthenticated attackers to supply Merge Tags.

The Ninja Forms plugin contains various classes and functions that could be leveraged as part of multiple exploit chains.

Advertisements

The vulnerability was addressed earlier this week with the release of Ninja Forms versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.

WordPress apparently performed a forced update, meaning that the impacted websites should already be on a patched version. Administrators are advised to check their Ninja Forms iterations to make sure they use a fixed version.

Tags:

Leave a Reply

You may have missed

Zyxel Patches Critical Buffer Overflow Vulnerability

Zyxel Patches Critical Buffer Overflow Vulnerability

May 27, 2023
Apria Data Breach affects 2 million customers

Apria Data Breach affects 2 million customers

May 27, 2023
CosmicEnergy Malware Shutting Electric grid

CosmicEnergy Malware Shutting Electric grid

May 27, 2023
Operation Magalenha from Brazil

Operation Magalenha from Brazil

May 27, 2023
Buhti Ransomware Dissection

Buhti Ransomware Dissection

May 26, 2023
Volt Typhoon – Chinese Threat Actor Targetting US Infra

Volt Typhoon – Chinese Threat Actor Targetting US Infra

May 25, 2023
%d bloggers like this: