There is currently a security hole in the form plug-in Ninja Forms. This applies to all versions up to and including 3.6.3. According to the information from wpscan.com, the WordPress security scanner, the problem is that the input from the fields transmitted via the POST method has not been masked.
What exactly the restrictions on “users with high rights” means is so far unclear. Anyway, potential SQL injections would be possible. This would presumably allow database queries to be smuggled in via input fields, which then read out or manipulate data, for example.
Ninja Forms is a widely used WordPress plugin, which can be used to create forms that site visitors can fill out. Since the counting method is only very rough from a million, the actual number of websites that have Ninja Forms activated is between one and two million. Thus, large parts of the web would be affected by the security gap.
the current version 3.6.4 of the plugin, which was released about 24 hours ago, fixes the problem. In the changelogs the elimination of the vulnerability is mentioned:
There is currently no detailed description of how this vulnerability could be exploited with the identifier CVE-2021-24889. But on November 4th, the developers want to publish a so-called proof-of-concept that illustrates this. All users of the plugin are strongly advised to update Ninja Forms to version 3.6.4 by then at the latest.
Ninja Forms was already a few weeks ago a security flaw affected. The problem at the end of September concerned unprotected requests via the REST API, which allowed attackers to skim off sensitive data or Perform email injections.