Exploits discovered in the Ninja Forms plugin for WordPress and installed on over a million websites can lead to a complete takeover of the website if not patched.
Wordfence has discovered a total of four security holes in the Ninja Forms WordPress plugin that could allow attackers:
- Redirect site administrators to random locations.
- Install a plugin that can be used to intercept all email traffic.
- Obtain the Ninja Form OAuth connection key that is used to connect to the Ninja Forms central administration dashboard.
- Have site administrators take action that can disconnect a site from OAuth.
These vulnerabilities could allow an attacker to take control of a website and perform any number of malicious actions.
Due to the severity of the exploits, an immediate update of the plugin is recommended. As of February 8, all vulnerabilities in version 18.104.22.168 of the Ninja Forms plugin have been patched.
Ninja Forms is a popular plugin that allows website owners to create contact forms using a straightforward drag and drop interface.
Over 1 million installations are currently active. If you have a contact form on your website and you are not sure which plugin was used to create it, you should check that you are using Ninja Forms.
A quick update of the plugin will protect your site from all of the security vulnerabilities listed above.
The speed with which these vulnerabilities have been addressed shows the level of commitment the plug-in developers have taken to ensure security.
Wordfence reports that the developers of Ninja Forms were made aware of the vulnerabilities on January 20th and all of them were patched by February 8th.
Vulnerability Exploits – The Third Biggest Threat To WordPress Sites
Vulnerability exploits are a significant threat to WordPress sites. It is important that you update your plugins regularly so that you have the latest security patches.
Read on below
A report released last month listed vulnerability exploits as the third of the top three threats to WordPress websites.
In total, there were 4.3 billion attempts to exploit vulnerabilities of over 9.7 million unique IP addresses in 2020.
It is such a common attack that of the 4 million websites analyzed in the report in the last year, each one had at least one attempt to exploit a vulnerability.
Adding a firewall to your WordPress site is another way to protect it, as it can prevent attackers from misusing plugin vulnerabilities, even if they have not yet been patched.
Read on below
Whenever you add a new plugin to your website, be sure to check when it was last updated. This is a good sign if plugins have been updated in the last few weeks or months.
Abandoned plugins pose a greater threat to websites as they may contain unpatched security vulnerabilities.
For more tips on protecting your website, see: How to Protect a WordPress Website From Hackers.
Avoid pirated copies
Avoid using pirated copies of paid plugins at all costs as they are the most widespread threat to WordPress security.
Pirated malware and plugins are the number one threat to WordPress websites. Over 17% of all infected websites in 2020 had malware from a pirated plugin or theme.
Until recently it was possible to download pirated copies from official WordPress repositories, but as of this week they have been removed.
Read on below