The developers of the popular WordPress plugin Ninja Forms have released a fix for a high severity security vulnerability that could allow attackers to inject malicious code to take over an entire website if left unpatched.
All versions of the plugin up to 18.104.22.168 are affected by the Cross-Site Request Forgery (CSRF) vulnerability that can be used to launch Stored Cross-Site Scripting (Stored XSS) attacks on user’s WordPress sites.
Ninja Forms is currently installed on over 1m WordPress sites and the form builder plugin allows users to quickly create complex forms through its drag and drop based editor.
WordFence discovered and responsibly reported the CSRF vulnerability to the developer of Ninja Forms, Saturday Drive on April 27. The developer quickly released a security fix for the issue with the latest version of its plugin which was released less than a day after WordFence’s initial disclosure report.
In a blog post, QA engineer at WordFence, Ram Gall provided more details on how an attacker could leverage the vulnerability if site owners don’t update the plugin to the latest version, saying:
While Ninja Forms has already patched the issue, only 170,000 of the plugin’s 1m users have updated their installations to the latest version during the last week. If your site uses this plugin, it is highly recommended that you update to the latest version now to avoid falling victim to any potential attacks leveraging the CSRF vulnerability.