Security News > 2022 > June > Over a Million WordPress Sites Forcibly Updated to Patch a Critical Plugin Vulnerability
WordPress websites using a widely used plugin named Ninja Forms have been updated automatically to remediate a critical security vulnerability that's suspected of having been actively exploited in the wild.
Ninja Forms is a customizable contact form builder that has over 1 million installations.
According to Wordfence, the bug "Made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection."
"This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate chain was present," Chloe Chamberland of Wordfence noted.
Successful exploitation of the flaw could allow an attacker to achieve remote code execution and completely take over a vulnerable WordPress site.
Users of Ninja Forms are advised to ensure that their WordPress sites are updated to run the latest patched version to prevent any possible exploitation attempts in the wild.
News URL
https://thehackernews.com/2022/06/over-million-wordpress-sites-forcibly.html
Related news
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Unpatched critical flaws impact Fancy Product Designer WordPress plugin (source)
- Critical zero-days impact premium WordPress real estate plugins (source)
- SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
- Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management (source)
- Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score (source)
- Netgear warns users to patch critical WiFi router vulnerabilities (source)