Start Free Trial
  1. SEJ
  2.  » 
  3. News

Ninja Forms Plugin Vulnerability

Ninja Forms Plugin Vulnerability

Popular WordPress Forms plugin Ninja Form recently updated their plugin to patch a severe vulnerability. The vulnerability is rated a high severity because it could allow an attacker to steal admin level access and take over the entire website.

Cross-Site Request Forgery Vulnerability

The exploit that is causing this is called Cross-Site Request Forgery. This kind of vulnerability exploits a lack of a normal security check which then allows an attacker to upload or replace files and even gain administrative access.

This is how the Common Weakness Enumeration site, describes this kind of exploit:

“The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

…it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. …and can result in exposure of data or unintended code execution.”

Continue Reading Below

Ninja Forms High Severity Vulnerability

WordFence WordPress Security discovered the exploit and immediately notified the publishers of the Ninja Forms WordPress plugin. Ninja Forms immediately patched the security vulnerability within 24 hours.

According to WordFence, the vulnerability was contained in a “legacy” mode that controlled styling features that reverted to an older version. It is this part of the code that was affected.

This is how WordFence describes it:

“While all of these functions used capability checks, two of the functions failed to check nonces, which are used to verify that a request was intentionally sent by a legitimate user.

… a malicious script executed in an Administrator’s browser could be used to add new administrative accounts, leading to complete site takeover, while a malicious script executed in a visitor’s browser could be used to redirect that visitor to a malicious site.”

Screenshot of Ninja Forms Changelog

Ninja Forms Changelog

The publishers of the Ninja Forms plugin responsibly updated their plugin in a timely manner. They also honestly reflected what the update was about in their changelog.

Continue Reading Below

A changelog is an explanation of what has changed in a software update. Some plugin makers try to hide what the update was about by not mentioning vulnerabilities.

Ninja Forms honestly reported what the update was about. This is very important for publishers because it alerts them as to whether something should be updated immediately or if it can wait.

This shows that Ninja Forms is a trustworthy and responsible WordPress plugin publisher.

Update Ninja Forms Now

All publishers using Ninja Forms are urged to immediately update their Ninja Forms plugin. Ninja Forms Version is the latest version. If you have an earlier version then you must update your plugin to avoid this severe vulnerability.

Read the WordFence report about the vulnerability here:

High Severity Vulnerability Patched in Ninja Forms

More Resources


Subscribe to SEJ

Get our daily newsletter from SEJ's Founder Loren Baker about the latest news in the industry!

Topic(s) of Interest*
By clicking the "SUBSCRIBE" button, I agree and accept the content agreement and privacy policy of Search Engine Journal.

Roger Montti

Owner at

Roger Montti is a search marketer with over 20 years experience. I offer site audits, phone consultations and content and ... [Read full bio]

Read the Next Article
Read the Next