An information disclosure vulnerability has been patched in Ninja Forms, the form-building plugin for WordPress with more than one million active installations.
An authenticated attacker who abuses the flaw could export personal data submitted to websites via forms built with the extension.
The plugin’s developer, Saturday Drive, addressed the flaw in version 3.5.8, which it released yesterday (September 7) after a delay to the rollout of an otherwise seemingly rapid fix.
The insecure code was introduced in version 3.5.5, according to a blog post published by WordPress security service Plugin Vulnerabilities.
As well as updating their systems, Plugin Vulnerabilities recommends that website administrators running vulnerable versions who grant ‘untrusted’ individuals access to WordPress accounts could review “log files for the website to make sure there haven’t been any requests for the relevant path” to exploitation.
