Ninja Forms WordPress plugin, actively exploited in wild, receives forced security update

The form-building plugin is used on over one million websites.

NinjaForms WordPress plugin, actively exploited in wild, receives forced security update

A critical vulnerability in a WordPress plugin used on over one million websites has been patched, after evidence emerged that malicious hackers were actively exploited in the wild.

WordPress has pushed out a forced automatic update to the widely-used Ninja Forms plugin after security researchers.

According to an analysis by experts at WordFence, the vulnerability “could allow attackers to execute arbitrary code or delete arbitrary files on sites.”

Sign up to our free newsletter.
Security news, advice, and tips.

In short, an unauthenticated attacker could exploit the security hole in the Ninja Forms WordPress plugin to run code of their own choice, and gain complete control over a vulnerable website.

Nasty. And clearly WordPress thought so, as it appears to have initiated a forced update to third-party WordPress-powered websites running vulnerable versions of the plugin.

Ninja forms plugin

That forced update to the plugin took some website owners by surprise, as it occurred without any prior communication:

Ninja forms support

Website administrators who view the Ninja Forms changelog may not initially recognise quite how serious things the vulnerability was:

Ninja forms changelog

3.6.11 (14 June 2022)

Security Enhancements
* Apply more strict sanitization to merge tag values

If you run the Ninja Forms plugin on your WordPress website, make sure that you are running the latest version. According to Wordfence, the flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.