TL:DR – We created a security vulnerability. We’re Sorry. Update to 2.9.45 of Ninja Forms.
About two weeks ago, we were contacted by a security researcher, James Golovich, regarding a file upload issue within Ninja Forms. He demonstrated that it was possible to upload an arbitrary file using some test code that hadn’t been removed during our build process. We realised that the test code had accidentally been utilised in other areas of the plugin, and we immediately began working on a fix. While the issue was being patched, we reached out to the devs at the WordPress.org repo and began the processes of preparing for auto updating users of the affected versions. Once the patch had been tested, we pushed version 2.9.43 and .1 versions of 2.9.36 – 2.9.42. Shortly after, WordPress.org began pushing out automatic updates.
We didn’t want to go public with the vulnerability until our users had had time to update, both to the newest version and the .1 versions. A big thank you to James Golovich for the responsible disclosure; he gave us time to fix the issue and for our users to update to safe versions before disclosing the vulnerability on his site. You can read James’ post about the vulnerability here.
Discovering that a piece of software you have released contains security vulnerabilities is always a gut-wrenching experience. It hurts, and it’s something that keeps developers up at night. When I read James’ initial report, my stomach climbed into my chest. Nothing will make your stomach take up spelunking like: “I’ve discovered a severe security issue with your Ninja Forms plugin. Please contact me directly asap and I will disclose the issue.” I took some tums and called an all-hands developer meeting.
No developer sets out to create security vulnerabilities; even with the best developers and procedures in place, security bugs are going to slip through the cracks. This is especially true for plugins that have mostly front-facing components, like form builders. Our job is to take data from untrusted sources, which means that there are a lot more areas for failure. Over the past couple of years, several high-profile plugins, even in the forms space, have patched serious security issues. We know that that isn’t an excuse, though, and we want to apologise to our users.
We’ve done a post-mortem on the vulnerability and came away with data that we believe will help prevent vulnerabilities from slipping through in the future. We’re going to do everything we can to both prevent vulnerabilities and respond to them even faster.
Thank you to everyone who trusts us to run code on their site; you are awesome and you deserve awesome software. The fact that so many users run Ninja Forms is humbling and genuinely means the world to us, and we take your security very seriously.
Our sincere apologies to all users affected by the erroneous blacklisting of v2.9.45 on GoDaddy managed hosting plans on Sunday, May 15. There was an internal miscommunication that resulted in the misidentification of version numbers and the patched, safe version of Ninja Forms being removed from many of your WordPress installs. We’ve worked through this with the folks at GoDaddy and as of Monday, May 16th all affected websites should have been corrected by GoDaddy. Please do contact our support team if there are any lingering issues, and we will work to resolve them for you immediately. Again, please accept our sincere apologies and thank you for your patience.