Are you website owners making use of Ninja Forms?

If so, be aware that the company has recently patched a serious security flaw that allowed hackers to inject malicious code and take over websites.

The attack is accomplished via a Cross-Site Request Forgery (CSRF) that leads to a Stored Cross-Site Script attack.

All versions of Ninja Forms from and earlier are vulnerable.

Wordfence had this to say about the vulnerability

"Depending on where the JavaScript was placed in the imported form, it could be executed in a victim's browser whenever they visited a page containing the form, whenever an Administrator visited the plugin's Import/Export page, or whenever an Administrator attempted to edit any of the form's fields.

As is typical with Cross-Site Scripting (XSS) attacks, a malicious script executed in an Administrator's browser could be used to add new administrative accounts, leading to complete site takeover, while a malicious script executed in a visitor's browser could be used to redirect that visitor to a malicious site."

The plugin's developers took swift action. They were informed of the issue by Wordfence on April 27th, 2020, and issued a patch just five days later. Unfortunately, based on the company's statistics, the majority of sites making use of Ninja Forms (more than 800,000) are running old versions, and are still vulnerable.

Wordfence has rated this security flaw with a CVSS score of 8.8, which makes it a high severity issue. If you use the plugin in any capacity, it's important that you patch to the latest version as soon as possible to help keep your system secure.

Our perspective

Kudos to the sharp-eyed team at Wordfence for spotting the issue, and to the Ninja Forms development team for their fast action in delivering a patch!

~ As Hill Street Blues' Sgt. Esterhaus always advised: "Hey, let's be careful out there! " ~


Meanwhile, check out this report

This free executive report may give you insights into how to build your business with safe IT environments: 10 Hidden IT Risks That Might Threaten Your Business and 1 Easy Way to Find Them

The author

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPia Blogs. I am also available on LinkedIn, Facebook, and Twitter.

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT SupportI am Denis Wilson, President and Principal Consultant for DWP Information Architects. I help professionals grow their business by building a foundation of rock-solid IT and communications solutions for smaller insurance brokerages, financial services, and accountancy and law firms in Ventura County and San Fernando Valley. I have created cost-effective personal service automation solutions, for over 20 years, specializing in cybersecurity and regulatory compliance. I am also a published author and speaker, working extensively with business and professional associations to provide small business technology education programs.

Contact me if you would like me to speak at your association