We just released version 2.9.11 of Ninja Forms. This update addresses a possible security vulnerability, and I wanted to take a minute to talk about what that vulnerability was and how it might impact our users.
First, the vulnerability only affected pages within the wp-admin. That means that a user would need to be logged-in as an admin before they could do anything malicious, and even then, the vulnerability did not give users any more power than they would already have. I don’t say that to imply that such issues shouldn’t be fixed, but to help allay any fears that our users might have about the security of their data or WordPress site. The issue had to do with unescaped uses of add_query_arg() and remove_query_arg(). These have now all been properly escaped, and they no longer post any kind of threat.
Along with several other WordPress plugins, we were alerted to the need for an update by Securi on Thursday, 16 April and had a patch ready within an hour. We were asked to give the other plugin authors time to update their plugins and to release the update today, Monday, 20 April. The coordinated update was to prevent other plugins, for which the vulnerability might not have been as benign, from being compromised.
If you have not already done so, we urge you to update to version 2.9.11 of Ninja Forms, as well as any other plugins that might have been affected by the same issue.
In an effort to make sure that as much of our user-base as possible is protected, we’ve also released fixes for two older versions of Ninja Forms:
Version 2.7.8 and Version 2.8.14 have also been released. If you haven’t updated to 2.9.x yet, you can still get the security update by downloading one of those versions from WordPress.org.