Multiple security vulnerabilities have been disclosed in the Ninja Forms plugin for WordPress that could be exploited by threat actors to escalate privileges and steal sensitive data.
The flaws, tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, impact versions 3.6.25 and below, Patchstack said in a report last week. Ninja Forms is installed on over 800,000 sites.
A brief description of each of the vulnerabilities is below -
Users of the plugin are recommended to update to version 3.6.26 to mitigate potential threats.
UPCOMING WEBINAR
[Shield Against Insider Threats: Master SaaS Security Posture Management
](<https://thn.news/I26t1VFD>)
Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
The disclosure comes as Patchstack revealed another reflected XSS vulnerability flaw in the Freemius WordPress software development kit (SDK) affecting versions prior to 2.5.10 (CVE-2023-33999) that could be exploited to obtain elevated privileges.
Also discovered by the WordPress security company is a critical bug in the HT Mega plugin (CVE-2023-37999) present in versions 2.2.0 and below that enables any unauthenticated user to escalate their privilege to that of any role on the WordPress site.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.