Ninja Forms WordPress plugin, actively exploited in wild, receives forced security update

The form-building plugin is used on over one million websites.

NinjaForms WordPress plugin, actively exploited in wild, receives forced security update

A critical vulnerability in a WordPress plugin used on over one million websites has been patched, after evidence emerged that malicious hackers were actively exploited in the wild.

WordPress has pushed out a forced automatic update to the widely-used Ninja Forms plugin after security researchers.

According to an analysis by experts at WordFence, the vulnerability “could allow attackers to execute arbitrary code or delete arbitrary files on sites.”

Sign up to our free newsletter.
Security news, advice, and tips.

In short, an unauthenticated attacker could exploit the security hole in the Ninja Forms WordPress plugin to run code of their own choice, and gain complete control over a vulnerable website.

Nasty. And clearly WordPress thought so, as it appears to have initiated a forced update to third-party WordPress-powered websites running vulnerable versions of the plugin.

Ninja forms plugin

That forced update to the plugin took some website owners by surprise, as it occurred without any prior communication:

Ninja forms support

Website administrators who view the Ninja Forms changelog may not initially recognise quite how serious things the vulnerability was:

Ninja forms changelog

3.6.11 (14 June 2022)

Security Enhancements
* Apply more strict sanitization to merge tag values

If you run the Ninja Forms plugin on your WordPress website, make sure that you are running the latest version. According to Wordfence, the flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.