• Latest
  • Trending
730K WordPress sites force-updated to patch critical plugin bug

730K WordPress sites force-updated to patch critical plugin bug

June 17, 2022
Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023
Vice President Dr. Bawumia inaugurates  ICT Hub

Vice President Dr. Bawumia inaugurates ICT Hub

April 2, 2023
Co-Creation Hub’s edtech accelerator puts $15M towards African startups

Co-Creation Hub’s edtech accelerator puts $15M towards African startups

February 20, 2023
Data Leak Hits Thousands of NHS Workers

Data Leak Hits Thousands of NHS Workers

February 20, 2023
EU Cybersecurity Agency Warns Against Chinese APTs

EU Cybersecurity Agency Warns Against Chinese APTs

February 20, 2023
How Your Storage System Will Still Be Viable in 5 Years’ Time?

How Your Storage System Will Still Be Viable in 5 Years’ Time?

February 20, 2023
The Broken Promises From Cybersecurity Vendors

Cloud Infrastructure Used By WIP26 For Espionage Attacks on Telcos

February 20, 2023
Instagram and Facebook to get paid-for verification

Instagram and Facebook to get paid-for verification

February 20, 2023
YouTube CEO Susan Wojcicki steps down after nine years

YouTube CEO Susan Wojcicki steps down after nine years

February 20, 2023
Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Thursday, 16 July, 2026
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

730K WordPress sites force-updated to patch critical plugin bug

by ITECHNEWS
June 17, 2022
in Infosec, Leading Stories
0 0
0
730K WordPress sites force-updated to patch critical plugin bug

WordPress sites using Ninja Forms, a forms builder plugin with more than 1 million installations, have been force-updated en masse this week to a new build that addresses a critical security vulnerability likely exploited in the wild.

The vulnerability is a code injection vulnerability affecting multiple Ninja Forms releases, starting with version 3.0 and up.

YOU MAY ALSO LIKE

French Telco Orange Hit by Cyber-Attack

ATC Ghana supports Girls-In-ICT Program

Wordfence threat analyst Ramuel Gall discovered when reverse-engineering the patch that unauthenticated attackers can exploit this bug remotely to call various Ninja forms classes using a flaw in the Merge Tags feature.

Successful exploitation allows them to completely take over unpatched WordPress sites via several exploitation chains, one of them allowing remote code execution via deserialization to completely take over the targeted website.

“We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” Wordfence threat intelligence lead Chloe Chamberland said.

“This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.”

Force-updated and likely exploited in the wild

While there hasn’t been an official announcement, most vulnerable websites seem to have already been force-updated based on the number of downloads since this flaw was patched on June 14.

According to Ninja Forms’ downloads stats, the security update has been rolled out over 730,000 times since the patch was released.

If the plugin hasn’t yet been updated automatically to the patched version, you can also manually apply the security update from the dashboard (the latest version secured against attacks is 3.6.11).

Wordfence analysts have also found evidence indicating that this security flaw is already exploited in ongoing attacks.

“WordPress appears to have performed a forced automatic update for this plugin, so your site may already be using one of the patched versions,” Chamberland added.

Ninja Forms force-update installs
Ninja Forms force-update installs

Forced updates used to patch critical bugs

This matches previous instances when Automattic, the company behind the WordPress content management system, used forced updates to quickly patch critical security flaws used by hundreds of thousands or millions of sites.

Samuel Wood, a WordPress developer, said in October 2020 that Automattic had used forced security updates to push “security releases for plugins many times” since WordPress 3.7 was released.

As Automattic security researcher Marc Montpas also told BleepingComputer in February, forced patching is used regardless of their admins’ settings in “very rare and exceptionally severe cases.”

For instance, in 2019, Jetpack received a critical security update that addressed a bug in how the plugin processed embed code.

Other forced security updates addressed an issue found during an internal audit of the Jetpack Contact Form block in December 2018, a critical bug in the way some Jetpack shortcodes were processed back in May 2016, and an auth logic problem in June 2021.

More recently, in February 2022, 3 million websites using the UpdraftPlus WordPress plugin were force-patched to close a vulnerability enabling subscribers to download the database backups.

Source: Sergiu Gatlan
Via: bleepingcomputer
Tags: 730K WordPress sites force-updated to patch critical plugin bug
ShareTweet

Get real time update about this post categories directly on your device, subscribe now.

Unsubscribe

Search

No Result
View All Result

Recent News

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025

Recent News

  • Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa July 29, 2025
  • French Telco Orange Hit by Cyber-Attack July 29, 2025
  • ATC Ghana supports Girls-In-ICT Program April 25, 2023
  • Vice President Dr. Bawumia inaugurates ICT Hub April 2, 2023
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
Go to mobile version