As reported by the Wordfence guys, Ninja Forms – a popular form plugin (contact forms, subscription forms, etc.) – is suffering from a number of serious security vulnerabilities.
Put together, those vulnerabilities have been labeled “very high risk,” which in web-security-speak basically means this:
In short, the vulnerabilities let an attacker upload and execute a shell on your WordPress site through a page with a Ninja Forms form on it.
To make it worse, as Wordfence reports:
The only information the exploit needs is a URL on the target site that has a form powered by Ninja Forms version 2.9.36 to 2.9.42.
This is just … wow! … So to really emphasize this … the only thing an attacker needs is an URL where a Ninja Forms form can be found. And those are not that difficult to discover, by the way. For instance, all it takes is a glance at the source of a vulnerable page:
Long story short, if you don’t have any security mechanisms implemented, either through plugins or some custom-written scripts, and you are using Ninja Forms ver 2.9.36-2.9.42 then you need to act fast.
What to do
Okay, first off, don’t panic. It’s not the end of the world. You have some options:
- Update the Ninja Forms plugin to the newest version as soon as possible.
- Get yourself a security plugin that’s going to protect you in case those vulnerabilities stay with Ninja Forms for a while longer.
Wordfence, for example, reports that their plugin has rules set up to protect you from the kind of problems discussed here, so get the newest version of Wordfence too.
Or, there’s a third alternative:
Switch to a different forms plugin
We talked about some great contact form plugins a while ago, and we listed 5 other plugins apart from Ninja Forms (which also made the list). See that comparison here: The best contact form plugins for WordPress (updated for 2016).
Depending on what set of features you need, some of them will be a better fit than others. However, if you’re after some basic contact form functionality then you can go with pretty much anything described there.
Whatever you do, do it fast!
Here’s what the Wordfence team says:
We are monitoring attacks in real-time and are not yet seeing this being widely exploited yet. We suspect this is because an exploit has not shown up yet on exploit-db or other public exploit databases (as of 9am Pacific time on May 5th). We expect this to happen within 48 hours and there will almost immediately be widespread attacks that exploit this vulnerability.
Okay, that sums it up for today. Stay safe, guys!UPDATE: Here’s the official comment by the Ninja Forms guys.