730K WordPress sites force-updated to patch critical Ninja Forms plugin bug

WordPress sites using Ninja Forms, a forms builder plugin with more than 1 million installations, have been force-updated en masse this week to a new build that addresses a critical security vulnerability likely exploited in the wild.

The vulnerability is a code injection vulnerability affecting multiple Ninja Forms releases, starting with version 3.0 and up.

Wordfence threat analyst Ramuel Gall discovered when reverse-engineering the patch that unauthenticated attackers can exploit this bug remotely to call various Ninja forms classes using a flaw in the Merge Tags feature.

Successful exploitation allows them to completely take over unpatched WordPress sites via several exploitation chains, one of them allowing remote code execution via deserialization to completely take over the targeted website.

“We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” Wordfence threat intelligence lead Chloe Chamberland said.

“This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.”

Samuel Wood, a WordPress developer, said in October 2020 that Automattic had used forced security updates to push “security releases for plugins many times” since WordPress 3.7 was released.

As Automattic security researcher Marc Montpas also told BleepingComputer in February, forced patching is used regardless of their admins’ settings in “very rare and exceptionally severe cases.”

Source and more details: https://www.bleepingcomputer.com/news/security/730k-wordpress-sites-force-updated-to-patch-critical-plugin-bug/

Cross-Site Scripting Vulnerability In Download Manager Plugin

Security Researcher Rafie Muhammad reported a reflected Cross-Site Scripting (XSS) vulnerability that they discovered in Download Manager, a WordPress plugin installed on over 100,000 sites. It was assigned a vulnerability identifier of CVE-2022-1985.

All Wordfence users, including FreePremiumCare, and Response, are protected from exploits targeting this vulnerability thanks to the Wordfence Firewall’s built-in Cross-Site Scripting protection.

Even though Wordfence provides protection against this vulnerability, we strongly recommend ensuring that your site has been updated to the latest patched version of Download Manager, which is version 3.2.43 at the time of this publication.

As usual, all ProtectYourWP clients who use Download Manager have already been updated.

Source and more details: https://www.wordfence.com/blog/2022/06/security-vulnerability-download-manager-plugin