NinjaForms WordPress plugin, actively exploited in wild, receives forced security update • Graham Cluley

NinjaForms WordPress plugin, actively exploited in wild, receives forced security update

A critical vulnerability in a WordPress plugin used on over one million websites has been patched, after evidence emerged that malicious hackers were actively exploited in the wild.

WordPress has pushed out a forced automatic update to the widely-used Ninja Forms plugin after security researchers.

According to an analysis by experts at WordFence, the vulnerability “could allow attackers to execute arbitrary code or delete arbitrary files on sites.”

Sign up to our newsletter
Security news, advice, and tips.

In short, an unauthenticated attacker could…

More Info

Exploited Vulnerability Patched in WordPress Plugin With Over 1 Million Installations

More than one million WordPress websites were potentially impacted by a critical Ninja Forms plugin vulnerability that appears to have been exploited in the wild.

With over one million installations, the popular Ninja Forms plugin helps administrators add customizable forms to their WordPress sites.

The exploited security issue, which was identified in the Merge Tag functionality of the plugin, does not have a CVE identifier yet, but it has a CVSS score of 9.8.

“One feature of Ninja Forms is the ability to add ‘Merge Tags’ to forms that will auto-populate values from other areas of…

More Info

Over a Million WordPress Sites Forcibly Updated to Patch a Critical Plugin Vulnerability

WordPress websites using a widely used plugin named Ninja Forms have been updated automatically to remediate a critical security vulnerability that’s suspected of having been actively exploited in the wild.

The issue, which relates to a case of code injection, is rated 9.8 out of 10 for severity and affects multiple versions starting from 3.0. It has been fixed in, 3.1.10, 3.2.28,,,, and 3.6.11.


Ninja Forms is a customizable contact form builder that has over 1 million installations.

According to Wordfence, the bug “made it possible for unauthenticated…

More Info

730K WordPress sites force-updated to patch critical plugin bug

WordPress sites using Ninja Forms, a forms builder plugin with more than 1 million installations, have been force-updated en masse this week to a new build that addresses a critical security vulnerability likely exploited in the wild.

The vulnerability is a code injection vulnerability affecting multiple Ninja Forms releases, starting with version 3.0 and up.

Wordfence threat analyst Ramuel Gall discovered when reverse-engineering the patch that unauthenticated attackers can exploit this bug remotely to call various Ninja forms classes using a flaw in the Merge Tags feature.


More Info

Noesis.Tech becomes India’s 1st WordPress VIP Silver Agency Partner

Noesis.Tech becomes India’s 1st WordPress VIP Silver Agency Partner

Published on June 14, 2022

Mumbai: Noesis.Tech, the technology products, and services division, of the Zoo Media network, has been added to the coveted list of global WordPress VIP Silver Agency Partners. WordPress VIP is the enterprise offering of the popular WordPress content management system launched by…

More Info

Headless WordPress And More With Ivan Popov

While attending WordCamp Porto, I had an opportunity to attend Ivan Popov’s presentation on Headless WordPress. It is one of the obscure areas for SEO, and I want to share a few insights with SEJ readers.

Headless WordPress brings the opportunity to feed many channels from your WordPress install.

One can push data from WordPress into:

  • Mobile app.
  • Website.
  • Third-party apps.
Image source: Slide from Ivan Popov’s presentation at WordCamp 2022

It makes WordPress more than just a CMS; it integrates into the whole ecosystem of web and mobile apps where users can still take advantage of using…

More Info

Top 7 SEO tips for WordPress sites

If your WordPress site rank is not performing as expected, all hope is not lost.

There are a couple of things you can do to improve your SEO ranking. The seven methods outlined below are quick, simple, and proven to show results.

1. Make sure HTTPS is enabled

Using an SSL certificate to secure your website lets your viewers know your site is secure, which helps with ranking.

SSL certificates are available both free and paid. Once you have an SSL certificate installed for your site, use a plugin like Really Simple SSL to assure your content is served…

More Info

Popular WordPress plugin that fixes email delivery issues gets major UI update after acquisition

Popular WordPress plugin that fixes email delivery issues gets major UI update after acquisition

Post SMTP, a free and widely used plugin that fixes common email delivery problems on WordPress, launched a new version of its software with an improved user interface on the heels of WPExperts acquiring it in March 2022.

Many WordPress sites have issues sending system and form-based email messages, and the delivery problems are persistent across many hosting providers. Some hosting services have safeguards that filter outgoing…

More Info

Smilodon Credit Card Skimming Malware Shifts to WordPress

WordPress’ massive market share has come with an unsurprising side effect: As more and more site admins turn to popular plugins like WooCommerce to turn a profit on their website and set up online stores we’ve seen a significant increase in the number of attacks targeting WordPress eCommerce sites. What’s more, bad actors are repurposing their old Magento credit card stealing malware for use against WordPress.

In today’s post we are going to examine one such piece of malware which was initially used as a backdoor in Magento environments but more recently repurposed to act as a…

More Info

WordPress pages or posts: Which should you use?

Since its launch in May 2003, WordPress has become the most-used website platform globally. The WordPress platform powers almost 37% of the top 1 million trafficked websites, according to BuiltWith data.

Given the low cost (you really only pay for hosting), ease of installation and use and flexibility, WordPress is ready for websites of all sizes, from personal blogs to enterprise businesses.

Count me as a fan. I’ve advocated for its use, going back to nearly the beginning of its existence in 2003.

I’ve worked on many WordPress websites,…

More Info