There is a new vulnerability in the Ninja Forms WordPress plugin that affects all versions up to 3.6.3. Vulnerability allows SQL injection, which they give to the attacker access to run queries on base data through the blank fields of the form.
The developer of the plugin has released the version 3.6.4 two days ago.
The Ninja Forms add-on allows you to design forms on WordPress sites and currently has more than 1 million active installations. However, this plugin often reveals vulnerabilities, such as that reported September 22, 2021 by WordFence. The new vulnerability is supposed to have been fixed with version 3.6.4, without further details being revealed.
There is currently no detailed description of how this vulnerability identified by CVE-2021-24889 could be exploited. But on November 4, developers plan to publish a PoC that shows this.
For the record the vulnerability in the Ninja Forms plugin reported in late September involved unprotected requests through the REST API, which allowed attackers to skim off sensitive data or send emails injections.