WordPress sites using Ninja Forms, a forms builder plugin with more than 1 million installations, have been force-updated en masse this week to a new build that addresses a critical security vulnerability likely exploited in the wild.
The vulnerability is a code injection vulnerability affecting multiple Ninja Forms releases, starting with version 3.0 and up.
Wordfence threat analyst Ramuel Gall discovered when reverse-engineering the patch that unauthenticated attackers can exploit this bug remotely to call various Ninja forms classes using a flaw in the Merge Tags feature.
Successful exploitation allows them to completely take over unpatched WordPress sites via several exploitation chains, one of them allowing remote code execution via deserialization to completely take over the targeted website.
“We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” Wordfence threat intelligence lead Chloe Chamberland said.
“This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.”
Force-updated and likely exploited in the wild
While there hasn’t been an official announcement, most vulnerable websites seem to have already been force-updated based on the number of downloads since this flaw was patched on June 14.
According to Ninja Forms’ downloads stats, the security update has been rolled out over 730,000 times since the patch was released.
If the plugin hasn’t yet been updated automatically to the patched version, you can also manually apply the security update from the dashboard (the latest version secured against attacks is 3.6.11).
Wordfence analysts have also found evidence indicating that this security flaw is already exploited in ongoing attacks.
“WordPress appears to have performed a forced automatic update for this plugin, so your site may already be using one of the patched versions,” Chamberland added.
Forced updates used to patch critical bugs
This matches previous instances when Automattic, the company behind the WordPress content management system, used forced updates to quickly patch critical security flaws used by hundreds of thousands or millions of sites.
Samuel Wood, a WordPress developer, said in October 2020 that Automattic had used forced security updates to push “security releases for plugins many times” since WordPress 3.7 was released.
As Automattic security researcher Marc Montpas also told BleepingComputer in February, forced patching is used regardless of their admins’ settings in “very rare and exceptionally severe cases.”
For instance, in 2019, Jetpack received a critical security update that addressed a bug in how the plugin processed embed code.
Other forced security updates addressed an issue found during an internal audit of the Jetpack Contact Form block in December 2018, a critical bug in the way some Jetpack shortcodes were processed back in May 2016, and an auth logic problem in June 2021.
More recently, in February 2022, 3 million websites using the UpdraftPlus WordPress plugin were force-patched to close a vulnerability enabling subscribers to download the database backups.