Forced updates applied to WordPress sites hit by Ninja Forms vulnerability

BleepingComputer reports that forced updates have been implemented for WordPress sites leveraging the Ninja Forms plugin, which was discovered by Wordfence researchers to be impacted by a critical code injection flaw that could be exploited to facilitate site takeovers.

Attackers could leverage the flaw, which may be abused in the wild, to call some Ninja Forms class methods, one of which could prompt object injection, according to Wordfence Threat Intelligence Lead Chloe Chamberland.

“This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present,” Chamberland added. More than 730,000 websites have already been force-updated to address the vulnerability, according to Ninja Forms’ download statistics. “WordPress appears to have performed a forced automatic update for this plugin, so your site may already be using one of the patched versions,” said Chamberland. Forced updates have also been employed by WordPress content management system developer Automattic to address critical vulnerabilities in numerous sites in October 2020.