Vulnerability Discovered in Ninja Forms <= 3.4.33

Ninja Forms WordPress plugin has over one million active installations and can be used to easily create forms on a WordPress site. In versions prior to 3.4.33, there were multiple vulnerabilities. One of these flaws made it possible for attackers to redirect site administrators to arbitrary locations. The second flaw made it possible for attackers with subscriber level access or above to install a plugin that could be used to intercept all mail traffic. The third flaw made it possible for attackers with subscriber level access to to retrieve the Ninja Form OAuth Connection Key that could be used to establish a connection with the Ninja Forms central management dashboard. The final flaw made it possible for attackers to disconnect a site’s OAuth Connection if they could trick a site’s administrator into performing an action. These flaws could be used to take over a WordPress site and redirect site owners to malicious sites.

The issue has been fixed in Version 3.4.34 which is available now from the WordPress Plugin Repo.