Do you run a WordPress site? Do you also use the popular forms design and management plugin called NinjaForms? If you answered yes to both of those questions, be aware that NinjaForms was recently found to have a critical security flaw.
The flaw takes the form of a code injection vulnerability and impacts all versions of NinjaForms from 3.0 forward. With more than a million installations to its name, that makes the newly discovered bug a problem indeed.
To their credit, the company behind the plugin moved quickly and issued an update which should have auto-installed on your system.
Chloe Chamberland is a researcher at Wordfence Threat Intelligence.
Chloe had this to say about the security flaw:
"We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection.
This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present."
The security patch was auto applied to more than 730,000 NinjaForms installations. While that's excellent, it's clear that some admins don't take kindly to auto-applied patches of any sort and have taken active countermeasures against such things.
If your company is one of those, you'll need to install the latest version of NinjaForms as soon as possible. If you're not sure you use it, check with your IT staff, and make them aware of the issue.
This isn't the first time WordPress has taken away user agency in the name of security. For instance, in 2019 the Jetpack plugin received a critical security update that corrected how the plugin processed embedded code. The company didn't make a fuss over it, they simply updated everyone's Jetpack to the latest (safer) version.
Kudos to WordPress and the developers of NinjaForms for their rapid response in this instance. Kudos for keeping the web relatively safe.
________________________________________________________________________________________________________
"Fortune Favors Who Value Time over Money!"
"TeQ I.Q. was the 1st IT Company to Deliver Cloud Solutions since 2003"
Tech issues taking up your Time?
"TeQ I.Q. Makes Your Technology Simple and Easy"
Do you have Tech Frustrations like your Computer, Internet, Phone, Cellphone, Camera, TV, Car?
"We Take Away Your Tech Frustrations and Give You the Free Time You Deserve!"
Call Robert to ask all your Technology questions.
We are giving a Free in Person TeQ Seminar at our office in La Mesa every Wednesday from 12pm-1pm and a Free TeQ Support Q&A from 1pm-2pm. Go to https://www.teqiq.com/events for our upcoming Events and https://www.teqiq.com/seminars for info on each Seminar.
For Free Consultation Call Now Robert Black at (619) 255-4180 or visit our website https://www.teqiq.com/
Chase Bank and Others Trust TeQ I.Q. with their IT and TeQnology so can you!
