WordPress plugin Ninja Forms gets forced update
The popular WordPress plugin Ninja Forms has received a security update. Researchers discovered a vulnerability so serious that WordPress performed a forced update. Websites that run on the content management system and have not manually updated this plugin need not worry.
That writes Wordfence, a cybersecurity company that has often revealed problems with commonly used WordPress plugins.
WordPress in a nutshell
WordPress is one of the most popular content management systems (cms) in the world. That’s because you don’t need any technical knowledge or programming experience to build your own. In the early days, the cms was mainly used by bloggers. Today, the application possibilities are unprecedented. It is estimated that more than 75 million websites worldwide run on WordPress.
Another reason why WordPress is so popular among website builders is that it is very easy to give a site extra functionality. All you need to do is install a plugin. Adding a guestbook, slider or forum is child’s play thanks to plugins.
Researchers find very dangerous exploit in Ninja Forms
Installing plugins is not without risks, however. If it is not properly maintained by the developer, you may face security vulnerabilities on your website. That is exactly what is the case with Ninja Forms, a plugin that allows you to add a contact form to your site in no time. More than one million sites work with this plugin.
Wordfence security researchers discovered that a vulnerability in this plugin made it possible to execute arbitrary code, or delete arbitrary files. What makes this exploit extra dangerous is that you don’t need login credentials to abuse it.
WordPress rolls out forced update
The security company does not provide details about the vulnerability. She does note that there are indications that the exploit was actively abused. WordPress has forced websites using Ninja Forms to install the security update that fixes the vulnerability. Nevertheless, we advise you to make sure that your site is updated to one of the patched versions as soon as possible, as automatic updates are not always successful, Wordfence warns.
To ensure that the vulnerability is fixed, you must have versions 184.108.40.206, 3.1.10, 3.2.28, 220.127.116.11, 18.104.22.168, 22.214.171.124 or 3.6.11 installed. Wordfence ends its blog with the following warning:
“If you know of a friend or colleague who uses this plugin on their site, we strongly recommend that you forward this warning to them to help protect their sites, as this is a serious vulnerability that could lead to a full takeover from the site.”
Cabinet: ‘WordPress safe to use’
Ninja Forms isn’t the only WordPress plugin to be hit by a serious vulnerability in recent months. The same happened to Elementor earlier this year, a so-called page builder plugin. Researchers discovered an extremely dangerous exploit that made it possible to remotely upload and run arbitrary PHP code. In theory this made it possible to take over a website from a distance. In version 3.6.3 this shortcoming was solved.
Because WordPress works with a login page that is accessible to everyone, the newspaper Trouw warned last year that websites of various government services were “at an extra high risk” of being hacked. The then State Secretary for the Interior and Kingdom Relations Raymond Knops reassured the House of Representatives by promising that government agencies could use WordPress with peace of mind. “I see no objection to the use of individual software packages, such as WordPress, if risk assessments have been made and measures have been taken,” said Knops in a letter to the House of Representatives.
Catch up on more articles here
Follow us on Twitter here