Latest WordPress plug-in security issue exposes user data

By: Rob Corbidge, 31 July 2023

a computer keyboard made of eyes, oil on canvas, renaissance, hyper realistic, cell shaded, 8 k

Major exploits identified in a form building plug-in have potentially exposed users to malicious actors

Hundreds of thousands of websites have been affected by the latest WordPress plug-in security issue, with the exposed personal details of site users at the heart of the security headache.

Popular plug-in Ninja Forms, used to create onsite forms and with over 900,000 active installations, was found to have three distinct vulnerabilities in latest version released to customers. The vulnerabilities, according to Patchstack, could result in actors with malicious intent to achieve "privilege escalation" within the affected site's CMS and steal user data.

Users of the plug-in have been urged to update to the latest version of Ninja Forms, which patches the security issue. Precise information about the nature of the exploits was delayed for a number of weeks after they were discovered in order to give admins time to install a secure update from Ninja Forms.

However, as Bleeping Computer have pointed out, many installs of the plug-in remain without such an update, meaning hundreds of thousands of sites and their associated user data are at risk.

Such WordPress plug-in issues almost certainly aren't avoidable, given the number of sites that run on WP globally. There will always be exploits when a system relies on plug-ins and customisation to make it work for the client. 

The consequent, and constant, maintenance cost is either one publishers must accept in order to eliminate risk to their publishing systems, or they must be able to live with a degree of risk, a risk made more complex as each each WordPress install becomes a unique install over time.