Ninja Forms SQL injection update immediately

There is a new vulnerability in the WordPress plugin Ninja Forms that affects all versions up to 3.6.3. The vulnerability allows SQL injection, which gives the attacker access to run queries to the database through the empty fields of the form.

The add-on developer released version 3.6.4 two days ago.

sQL injection

The Ninja Forms add-on allows you to design forms on WordPress sites and currently has more than 1 million active installations. However, this plugin often reveals vulnerabilities, such as that reported September 22, 2021 by WordFence. The new vulnerability is supposed to have been fixed with version 3.6.4, without further details being revealed.

There is currently no detailed description of how this vulnerability identified by CVE-2021-24889 could be exploited. But on November 4, developers plan to publish a PoC that shows this.

Historically, the vulnerability in the Ninja Forms plugin reported in late September involved unprotected requests via the REST API, which allowed intruders to skim off sensitive data or perform email injections.

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Ninja Forms, SQL injection, WordPress, iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).