Content Management system (CMS) provider WordPress has updated over one million sites in order to patch a critical vulnerability that affects a popular plugin known as Ninja Forms. Wordfence threat intelligence allegedly detected the flaw in June and reported it to the company. The details were explained in an advisory posted by the company on Thursday addressing the vulnerability and risk management advice. In the advisory, Wordfence stated that the flaw is a code injection vulnerability, meaning that unauthenticated attackers could deploy a limit number of methods in different Ninja Forms classes, including the possibility of Object Injection.
Wordfence stated that the flaw could lead to a variety of exploit chains due to the nature of the flaw. In addition, security researchers detected evidence suggesting that the vulnerability is being actively exploited in the wild. WordPress released a patch for the vulnerability that was automatically applied to sites running several different versions of the plugin. However, Wordfence stated that WordPress users should implement the patch and remain diligent since automatic updates are not always successful.