"Over a Million WordPress Sites Forcibly Updated to Patch a Critical Plugin Vulnerability"
WordPress websites that use the popular Ninja Forms plugin have been automatically updated to address a severe security vulnerability suspected of being actively abused in the wild. The problem, which involves a case of code injection, is rated 9.8 out of 10 in terms of severity and impacts various versions beginning with 3.0. Ninja Forms is a contact form builder with more than 1 million installs. The problem allowed unauthenticated attackers to call a limited number of methods in different Ninja Forms classes, including a method that unserialized user-supplied material, resulting in Object Injection. This could enable attackers to execute arbitrary code or delete arbitrary files on sites with a separate property-oriented programming chain, according to Wordfence's Chloe Chamberland. This article continues to discuss the potential exploitation and impact of the critical plugin vulnerability.