WordPress plugin Ninja Forms contained a security flaw that would allow anyone who logged in with super-admin powers, but it’s been fixed…
WordPress plugin Ninja Forms, installed on over one million sites, just received an important security update. Prior to the new version, the previous build contained a susceptible code that would allow any user who logged in to control the site entirely or gave them super-administrative permissions. In other words, any user logged in could easily perform a bulk submission export to any and all information submitted on one of the site’s forms.
Ninja Forms WordPress Plugin Permissions Access Exploited
Wordfence, the maker of a security plugin, discovered and reported the flaw to WordPress, and Ninja Forms has since been updated to fix the problem. So, any site that’s running needs to update to the most recent build. Wordfence explained:
“This vulnerability could easily be used to create a phishing campaign that could trick unsuspecting users into performing unwanted actions by abusing the trust in the domain that was used to send the email.”