Recently information about two code injection vulnerabilities surfaced the web that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserializes user-supplied content, resulting in Object Injection. This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present. It is recommended that you update your sites immediately. In order to avoid web site crashes and to assure timely security updates it is best to use our WordPress Maintenance Service.
WordPress Ninja Forms plugin <= 3.6.10 – Unauthenticated PHP Object Injection vulnerability
Unauthenticated PHP Object Injection vulnerability discovered in WordPress Ninja Forms plugin (versions <= 3.6.10). Update the WordPress Ninja Forms plugin to the latest available version (at least 3.6.11).
Read more about this bug: external link here.
WordPress Ninja Forms plugin <= 3.6.9 – Authenticated Stored Cross-Site Scripting (XSS) vulnerability
The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. Impact on the code: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’). The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Read more about this bug: external link here and here.