If you recently noticed that your Ninja Forms updated without your express consent, first, we’re very sorry about that. It’s not something we ever really want to do, but in this case was necessary. Here’s why it happened.
A short time ago, a security issue in Ninja Forms was brought to our attention by one of our user’s security teams. While we always act on security reports quickly, we realized that, due to the nature of this issue, it warranted an exceptionally quick fix. As in, we dropped everything to work on it.
With that fix in hand, we had two options: 1) release an update as normal with the patch, or 2) work with the WordPress Plugin Team to apply an auto-update to all sites running Ninja Forms.
Option 1 presented a problem: once we ran the normal update with the patch, the nature of the vulnerability would be publicly accessible to individuals who know what to look for. And there are definitely people who watch WordPress plugin updates for security patches. Not all have good intentions, meaning some malicious actors could use this process to exploit sites that had not yet run the update.
So we went with Option 2. Even though we really disliked the notion of surprising you with an update, it means your Ninja Forms are secure. We understand that a great many of you depend on your websites for your livelihoods, for the groups and organizations you care so much about, and that so many other people depend on you in turn. That’s a reality that we take very seriously, and not something we want to jeopardize if humanly possible.
We realize the level of trust you place in Ninja Forms, and it’s our responsibility to ensure that that trust is well placed. Thank you for placing that trust in us, and we’ll continue to do everything we can to live up to it. No software is immune to bugs and potential security threats, but it’s our job to prevent what we know, learn from what we don’t, and act fast for the betterment of our community no matter what challenges arise.
Again, we’re very sorry for any aggravation that this has caused. There was no perfect option in this scenario, and we ran with the solution that we believed would be the best option for those of you that depend on us to keep Ninja Forms secure. Thank you very much for your understanding.
Bob Euliss says:
I am just finding out about this. Users are letting me know that instead of showing my forms, they are seeing [ninja_form id=7] or whatever. Ninja Forms is no longer in my dashboard or in my list of plugins. Did I just lose my forms and submissions? How am I going to replace those, on multiple websites and different forms no less?