Original link: https://www.wpdaxue.com/newsletter/129910.html
Ninja Forms, a form builder plugin with over a million installs, recently exposed a code injection vulnerability that allows an unauthenticated attacker to call a limited number of methods in various Ninja Forms classes, including The provided content is deserialized by the method, resulting in object injection. This could allow an attacker to execute arbitrary code or delete arbitrary files on a site where a separate POP chain exists. It was publicly disclosed last week and patched in the latest version 3.6.11. Patches were also backported to versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, and 3.5.8.4. Thanks to Ninja Forms
This article is reprinted from: https://www.wpdaxue.com/newsletter/129910.html
This site is for inclusion only, and the copyright belongs to the original author.