WordPress sites that use Ninja Forms, a forms-builder plugin, were force-updated this week to a new build. This fix addresses a critical security flaw likely to be exploited in nature.

This vulnerability involves code injection and can affect multiple Ninja Forms releases starting at version 3.0.

Ramuel Gall, a Wordfence threat analyst, discovered that an unauthenticated attacker could remotely exploit this bug to call different Ninja form classes by using a flaw within the Merge Tags feature.

Using several exploitation chains, they can successfully exploit WordPress sites that are not patched.

One of these allows remote code execution via deserialization, which will enable them to take control of the target website.

"We discovered a code injection vulnerability which made it possible for unauthenticated attacks to call a limited amount of methods in different Ninja Forms classes including a method that unserialized the user-supplied contents, resulting in Object Injection," Wordfence threat intelligence leader Chloe Chamberland stated.

"This could enable attackers to execute arbitrary codes or delete arbitrary files from sites with separate POP chains."

Although there hasn't been an official announcement yet, most vulnerable websites have been force-updated based on the number downloaded since June 14th.

Ninja Forms has released stats that show the security patch has been downloaded 730,000 times since its release.

You can manually apply security updates to the dashboard if the plugin is not yet updated automatically to the latest version. The newest version that protects against attacks is 3.6.11.

Wordfence analysts also found evidence that the security flaw was being used in ongoing attacks.

Chamberland said that WordPress may have forced an automatic update for the plugin. Your site could already be using one or more of the patched versions.