WordPress sites using Ninja Forms, a forms builder plugin with more than 1 million installations, have been force-updated en masse this week to a new build that addresses a critical security vulnerability likely exploited in the wild.
The vulnerability is a code injection vulnerability affecting multiple Ninja Forms releases, starting with version 3.0 and up.
Wordfence threat analyst Ramuel Gall discovered when reverse-engineering the patch that unauthenticated attackers can exploit this bug remotely to call various Ninja forms classes using a flaw in the Merge Tags feature.
Successful exploitation allows them to completely take over unpatched WordPress sites via several exploitation chains, one of them allowing remote code execution via deserialization to completely take over the targeted website.
“We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” Wordfence threat intelligence lead Chloe Chamberland said.
“This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.”
Samuel Wood, a WordPress developer, said in October 2020 that Automattic had used forced security updates to push “security releases for plugins many times” since WordPress 3.7 was released.
As Automattic security researcher Marc Montpas also told BleepingComputer in February, forced patching is used regardless of their admins’ settings in “very rare and exceptionally severe cases.”