Recently Patched Vulnerabilities in Ninja Forms Plugin Affect Over 1 Million Site Owners

WordFence - 

On August 3, 2021 the Threat Intelligence team initiated the responsible disclosure process for two that were discovered in Ninja Forms, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an attacker to export sensitive information and send arbitrary emails from a vulnerable site that could be used to phish unsuspecting users.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this on August 2, 2021. Sites still using the free version of Wordfence received the same protection on September 1, 2021.

We sent the full disclosure details to Ninja Forms on August 3, 2021, as per the security disclosure policy listed on Ninja Forms website. Ninja Forms quickly acknowledged the report the same day and informed us that they would start working on a immediately. A patch was released on September 7, 2021 in version 3.5.8.

We strongly recommend updating immediately to the latest patched version of Ninja Forms to patch these issues, which is version 3.5.8.2 of Ninja Forms at the time of this publication.

Description: Unprotected REST- to Sensitive Information Disclosure
Affected Plugin: Ninja Forms
Plugin Slug: ninja-forms
Affected Versions:

Read More: https://www.wordfence.com/blog/2021/09/recently-patched-vulnerabilities-in-ninja-forms-plugin-affects-over-1-million-site-owners/