In WordPress-Assistance ninja forms , which has more than a million active installations, is not assigned to the CVE), which allows an extraneous visitor to receive an extraneous visitor Full control over the site. The problem is fixed in issues 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4 and 3.6.11. It is noted that vulnerability is already used to make attacks and for emergency blocking the problem, the developers of the WordPress platform initiated a compulsory automatic installation of updating on user sites.
Vulnerability is caused by an error in the implementation of the functionality of the Merge Tags, which allows non -assumption users to cause some static methods from various classes of Ninja Forms (to verify the mention of methods in the data transmitted through the Merge Tags, the function is_callable () ). Including a challenge of a method that performs the deserization of the contents transmitted by the user was available. Through the transfer of specially designed serialized data, the attacker could substitute his objects and achieve the execution of the PHP code on the server or delete arbitrary files in the catalog from the site data.