WordPress sites using the Ninja Forms form plugin, which has over a million installs, have received forced updates. The fact is that a critical vulnerability was recently fixed in Ninja Forms, which, apparently, was already under attack by hackers.
The vulnerability found in the plugin is a code injection issue that affects multiple versions of Ninja Forms at once, starting with version 3.0. Analysts Wordfence found that unauthenticated attackers could remotely exploit this issue to invoke various Ninja form classes using a vulnerability in the Merge Tags feature.
As a result, hackers get the opportunity to seize full control over the vulnerable site. For example, one of the chains of exploits allows remote code execution through deserialization, which leads to a complete compromise of the site. Another variant of the attack allows you to remove arbitrary files from the resource.
Wordfence analysts note that the vulnerability appears to be being exploited in ongoing hacker attacks.
Edition Bleeping Computer reports that most of the affected sites were force-updated after the vulnerability was patched on June 14, 2022. At the same time, no official statements have been received in this regard yet.
According to download statistics Ninja Forms, since the release of the patch, the update has been installed more than 730,000 times. All administrators whose sites have bypassed forced updates are recommended to install the patch manually by updating the plugin to a safe version. 3.6.11.
Let me remind you that this is not the first time that the company behind the development of WordPress, Automattic, releases forced updates to fix any critical bugs. Although in general the company resorts to this last resort only in rare and extremely serious cases. For example, earlier, in a similar way, patches were forcibly received by sites using the plugin jetpack (then it was about 5 million resources at once) and a plugin Updraft Plus (in this case, about 3 million sites were updated).
Source: xaker.ru