June 20, 2022
Plug-ins are part of WordPress echo system, and they play a major role, you almost can’t find a WordPress website without few plug-ins installed, recently an automatic update is rolled to over a million WordPress sites, to patch a critical vulnerability in Ninja Forms plug-in.
WordPress now powers 40% of the world's websites.
WordPress pushed an automatic update for the Ninja Forms plug-in, this update applies to versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4 and 3.6.11.
Administrators are encouraged to manually check if their systems are automatically updated to a vulnerability free version.
The vulnerability allows unauthenticated attackers to call static methods, this could lead to a complete WordPress site overtake.
This flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.It appears as though WordPress may have performed a forced update so your site may already be on one of the patched versions. Nonetheless, we strongly recommend ensuring that your site has been updated to one of the patched versions as soon as possible.
Conclusion:
What we care about is how we can minimise the window of potential compromise to the business, any environment is full of technologies and services that are on constant battle with vulnerabilities.
Having a solid asset management, threat intelligence, and patch management capabilities will work hand in hand to attempt and keep your business secure and operational.
Resources: