Skip to main content

Once again, a critical vulnerability is detected in a WordPress plugin, putting websites at risk. This vulnerability was detected in Ninja Forms WordPress plugin with over one million active installations on June 16, 2022. It’s a code injection vulnerability that allows attackers to completely take over a website by utilizing various exploitation chains. The CVE ID of this vulnerability is not tracked yet. However, it has been rated critical severity with a CVSS score of 9.8. This post is essential for those using Ninja Forms WordPress plugin installed on their websites to understand how to fix the critical code injection vulnerability in Ninja Forms. 

Ninja Forms WordPress Plugin

Ninja Forms WordPress plugin is the most user-friendly contact form builder for creating attractive forms. No coding skills are required to design complex forms like a pro with drag and drop fields. It has easy row and column layouts, conditional forms and multi-page forms. 

This form allows users to upload files and send or export submissions as PDF, Google Sheets, and Microsoft Excel files. Moreover, you can accept credit cards and payments quickly and securely from any of your WordPress forms. It lets you provide your customers with all the options, such as single payments or subscriptions, variable, fixed, or user-entered amounts. 

Here are some additional features of the Ninja Forms WordPress plugin.

  • Easy WordPress GDPR compliance
  • Use pre-built templates to get started fast
  • Mobile responsive and blends easily with a well-designed theme
  • More integrations than any other form builder

Summary Of The Code Injection Vulnerability In Ninja Forms

A critical code injection vulnerability was detected in the WordPress Ninja Forms plugin. This vulnerability made it possible for unauthenticated criminals to call a limited number of methods in several Ninja Forms classes. The method includes unserializing user-supplied data that result in Object Injection. It could allow hackers to execute arbitrary code or delete arbitrary files on websites where a separate POP chain was found. 

WordPress seems to force automatic updates for this plugin. It might be possible that your website may already be using one of the patched versions, as this flaw has been patched in various versions.

Associated CVE-ID Pending
CVSS Score 9.8
Impact Score
Exploitability Score 
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Require (PR)None
User Interaction (UI)None
Scope Unchanged
Confidentiality High
Integrity High
Availability HighHigh

Affected Versions

Here is a list of versions affected by code injection vulnerability in Ninja Forms WordPress Plugin.

  • 3.6-3.6.10
  • 3.5-
  • 3.4-
  • 3.3-
  • 3.2-3.2.27 
  • 3.1-3.1.9 
  • 3.0-

This vulnerability has been fully patched in the following versions.

  • 3.1.10, 3.2.28
  • 3.6.11

How To Fix A Code Injection Vulnerability In Ninja Forms WordPress Plugin?

It is recommended to check whether the Ninja Forms plugin is up to date or not. Its latest version is 3.6.11. Update the plugin to avoid exploitation.

If the force update fails, it means your website is at significant risk. In such a scenario, you need to update the plugin manually using the plugin’s dashboard.

See Also How To Fix CVE-2022-22951(2)- Critical Vulnerabilities In VMware Carbon Black App Control Server

Here are the steps to update the Ninja Forms plugin on your WordPress website.

  1. Log into your WordPress website/
  2. Go to the plugins page and find the Ninja Forms plugin.
  3. Click on ‘Update Now’ next to the plugin.
  4. WordPress will update the plugin, and you will be all set.

If you believe your website has been compromised due to the code injection vulnerability in Ninja Form plugin, get incident response services via Wordfence Care.

Leave a Reply