WordPress plugin Ninja Forms gets a forced update

WordPress plugin Ninja Forms gets a forced update

The popular WordPress plugin Ninja Forms has received a security update. Researchers discovered a vulnerability so severe that WordPress performed a forced update. Websites running on the content management system that didn’t manually update this plugin need not worry.

This was written by Wordfence, a cybersecurity company that has often revealed problems with commonly used WordPress plugins.

WordPress in a nutshell

WordPress is one of the most popular content management systems (CMS) in the world. That’s because you don’t need technical knowledge or programming experience to build your own. In the early days, the cms was mainly used by bloggers. Today, the application possibilities are unprecedented. It is estimated that more than 75 million websites worldwide run on WordPress.

Another reason why WordPress is so popular among website builders is because it is very easy to give a site extra functionality. All you need to do is install a plugin. Adding a guestbook, slider or forum is child’s play, thanks to plugins.

Researchers find very dangerous exploit in Ninja Forms

However, installing plugins is not entirely risk-free. If it is not properly maintained by the developer, you may face security vulnerabilities on your website. That’s exactly the case with Ninja Forms, a plugin that lets you add a contact form to your site in no time. More than one million sites work with this plugin.

Wordfence security researchers discovered that a vulnerability in this plugin made it possible to execute arbitrary code or delete arbitrary files. What makes this exploit extra dangerous is that you don’t need any credentials to exploit it.

WordPress rolls out forced update

The security company does not provide details about the vulnerability. She does note, however, that there are indications that the exploit was actively abused. WordPress has forced websites using Ninja Forms to install the security update that fixes the vulnerability. Nevertheless, we advise you to ensure that your site is updated to one of the patched versions as soon as possible, as automatic updates are not always successful.

To ensure that the vulnerability has been fixed, you must have version, 3.1.10, 3.2.28,,, or 3.6.11 installed. Wordfence ends its blog with the following warning:

“If you know of a friend or colleague who is using this plugin on their site, we strongly recommend that you forward this alert to them to help protect their sites, as this is a serious vulnerability that could lead to a full takeover of the site.”

Cabinet: ‘WordPress safe to use’

Ninja Forms is not the only WordPress plugin hit by a serious vulnerability in recent months. The same thing happened to Elementor earlier this year, a so-called page builder plugin. Researchers discovered an extremely dangerous exploit that allowed remote upload and execution of arbitrary PHP code. This made it theoretically possible to take over a website remotely. In version 3.6.3 this problem was solved.

Because WordPress works with a login page that is accessible to everyone, the newspaper Trouw warned last year that websites of various government services ran “an extra high risk” of being hacked. Raymond Knops, the then State Secretary for the Interior and Kingdom Relations, reassured the House of Representatives by promising that government agencies could use WordPress with confidence. “I see no objection to the use of individual software packages, such as WordPress, if risk assessments have been made and measures have been taken,” said Knops in a letter to the House of Representatives.

Find more articles here

Follow us on Facebook here

Leave a Reply