Attackers could leverage the flaw, which may be abused in the wild, to call some Ninja Forms class methods, one of which could prompt object injection, according to Wordfence Threat Intelligence Lead Chloe Chamberland.
“This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present,” Chamberland added. More than 730,000 websites have already been force-updated to address the vulnerability, according to Ninja Forms’ download statistics. “WordPress appears to have performed a forced automatic update for this plugin, so your site may already be using one of the patched versions,” said Chamberland. Forced updates have also been employed by WordPress content management system developer Automattic to address critical vulnerabilities in numerous sites in October 2020.