With over a million active installations, the Ninja Forms WordPress add-on has a critical vulnerability (CVE not yet assigned) that could allow an outside visitor to take full control of the site. The issue has been fixed in releases 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4 and 3.6.11. It is noted that the vulnerability is already being used to carry out attacks and to urgently block the problem, the developers of the WordPress platform initiated a forced automatic installation of updates on user sites.
The vulnerability is caused by an error in the implementation of the Merge Tags functionality, which allows unauthenticated users to call some static methods from various Ninja Forms classes (the is_callable() function was called to check for the mention of methods in the data passed through Merge Tags). Among other things, it was possible to call a method that performs deserialization of the content passed by the user. Through the transfer of specially formatted serialized data, the attacker could perform the substitution of his objects and achieve the execution of PHP code on the server or delete arbitrary files in the site data directory.
Source: opennet.ru