There is a new vulnerability in the WordPress plugin Ninja Forms that affects all versions up to 3.6.3. The vulnerability allows SQL injection, which gives the attacker access to run queries to the database through the empty fields of the form.
The add-on developer released version 3.6.4 two days ago.
The Ninja Forms add-on allows you to design forms on WordPress sites and currently has more than 1 million active installations. However, this plugin often reveals vulnerabilities, such as that reported September 22, 2021 by WordFence. The new vulnerability is supposed to have been fixed with version 3.6.4, without further details being revealed.
There is currently no detailed description of how this vulnerability identified by CVE-2021-24889 could be exploited. But on November 4, developers plan to publish a PoC that shows this.
Historically, the vulnerability in the Ninja Forms plugin reported in late September involved unprotected requests via the REST API, which allowed intruders to skim off sensitive data or perform email injections.