Skip to main content

Update NinjaForms In WordPress To Avoid Potential Hack

By May 15, 2020May 5th, 2022Cybersecurity

Are you one of the million-plus website owners making use of Ninja Forms for WordPress? If so, be aware that the company has recently patched a serious security flaw that allowed hackers to inject malicious code and take over websites.

The attack is accomplished via a Cross-Site Request Forgery (CSRF) that leads to a Stored Cross-Site Script attack.

All versions of Ninja Forms from and earlier are vulnerable.

Wordfence QA Engineer Ram Gall had this to say about the vulnerability:

Depending on where the JavaScript was placed in the imported form, it could be executed in a victim’s browser whenever they visited a page containing the form, whenever an Administrator visited the plugin’s Import/Export page, or whenever an Administrator attempted to edit any of the form’s fields.

As is typical with Cross-Site Scripting (XSS) attacks, a malicious script executed in an Administrator’s browser could be used to add new administrative accounts, leading to complete site takeover, while a malicious script executed in a visitor’s browser could be used to redirect that visitor to a malicious site.”

The plugin’s developers took swift action. They were informed of the issue by Wordforce on April 27th, 2020, and issued a patch just five days later. Unfortunately, based on the company’s statistics, the majority of sites making use of Ninja Forms (more than 800,000) are running old versions, and are still vulnerable.

Wordfence has rated this security flaw with a CVSS score of 8.8, which makes it a high severity issue. If you use the plugin in any capacity, it’s important that you patch to the latest version as soon as possible to help keep your system secure.

Kudos to the sharp-eyed team at Wordfence for spotting the issue, and to the Ninja Forms development team for their fast action in delivering a patch!

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.