A critical Ninja Forms plugin vulnerability that appears to have been exploited in the wild has been affecting millions of wordpress sites.
The exploited security issue, which was identified in the Merge Tag functionality of the plugin, does not have a CVE identifier yet, but with a CVSS score of 9.8.
With this bug, it was possible to call various Ninja Form classes and abuse them for a wide range of exploits targeting vulnerable WordPress sites. Also the manner in which NF_MergeTags_Other class handles Merge Tags makes it possible for unauthenticated attackers to supply Merge Tags.
The Ninja Forms plugin contains various classes and functions that could be leveraged as part of multiple exploit chains.
The vulnerability was addressed earlier this week with the release of Ninja Forms versions 220.127.116.11, 3.1.10, 3.2.28, 18.104.22.168, 22.214.171.124, 126.96.36.199, and 3.6.11.
WordPress apparently performed a forced update, meaning that the impacted websites should already be on a patched version. Administrators are advised to check their Ninja Forms iterations to make sure they use a fixed version.