via wptavern.com => original post link
Late last week, Ninja Forms users received a forced security update from WordPress.org for a critical PHP Object Injection vulnerability. This particular vulnerability can be exploited remotely without any authentication. It was publicly disclosed last week and patched in the latest version, 3.6.11. Patches were also backported to versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, and 3.5.8.4.
Wordfence noticed a back-ported security update in the form builder plugin, which has more than a million active installs. Threat analyst Chloe Chamberland explained the vulnerability in an advisory alerting the company’s users:
We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection. This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.