Exploits detected in the Ninja Forms plugin for WordPress, installed on over a million sites, can lead to a complete site takeover if not patched.
Wordfence detected a total of four vulnerabilities in the Ninja Forms WordPress plugin that could allow attackers to:
- Redirect site administrators to random locations.
- Install a plugin that could be used to intercept all mail traffic.
- Retrieve the Ninja Form OAuth Connection Key used to establish a connection with the Ninja Forms central management dashboard.
- Trick a site administrators into performing an action that could disconnect a site’s OAuth Connection.
Those vulnerabilities could lead to attackers taking control of a site and performing any number of malicious actions.
Due to the severity of the exploits, an immediate update of the plugin is recommended. As of February 8 all vulnerabilities are patched in version 18.104.22.168 of the Ninja Forms plugin.
Ninja Forms is a popular plugin that allows site owners to build contact forms using an uncomplicated drag and drop interface.
It currently has over 1 million active installations. If you have a contact form on your site, and you’re not sure which plugin it’s built with, it’s worth checking to see if you’re using Ninja Forms.
A quick update of the plugin will protect your site from all the above listed vulnerabilities.
The speed at which these vulnerabilities were patched shows how committed the plugin’s developers are to keeping it safe.
Wordfence reports it made the Ninja Forms developers aware of the vulnerabilities on January 20, and they were all patched by February 8.
Vulnerability Exploits – The 3rd Greatest Threat to WordPress Sites
Vulnerability exploits are a significant threat to WordPress sites. It’s important to update your plugins regularly so you have the latest security patches.
A report published last month lists vulnerability exploits as third among the top 3 threats to WordPress sites.
In total there were 4.3 billion attempts to exploit vulnerabilities from over 9.7 million unique IP addresses in 2020.
It’s such a common attack that out of 4 million sites analyzed in the report, every one of them experienced at least one vulnerability exploit attempt last year.
Adding a firewall to your WordPress site is another way to keep it safe, as it can prevent attackers from abusing plugin vulnerabilities even if they haven’t been patched yet.
When adding a new plugin to your site it’s a good practice to check when it was last updated. It’s a good sign when plugins have been updated within recent weeks or months.
Abandoned plugins are a greater threat to sites because they may contain unpatched vulnerabilities.
For more tips on keeping your site safe, see: How to Protect a WordPress Site from Hackers.
Avoid Pirated Plugins
Avoid using pirated versions of paid plugins at all costs, as they’re the source of most widespread threat to WordPress security.
Malware from pirated themes and plugins is the number one threat to WordPress sites. Over 17% of all infected sites in 2020 had malware from a pirated plugin or theme.
Until recently it was possible to download pirated plugins from official WordPress repositories, but as of this week they have been removed.