WordPress sites using Ninja Forms, a forms builder plugin with more than 1 million installations, have been force-updated en masse this week to a new build that addresses a critical security vulnerability likely exploited in the wild.
The vulnerability is a code injection vulnerability affecting multiple Ninja Forms releases, starting with version 3.0 and up.
Wordfence threat analyst Ramuel Gall discovered when reverse-engineering the patch that unauthenticated attackers can exploit this bug remotely to call various Ninja forms classes using a flaw in the Merge Tags feature.
Read more…
Source: Bleeping Computer