On January 20, 2021, WordFence team responsibly disclosed four vulnerabilities in Ninja Forms, a WordPress plugin used by over one million sites. One of these flaws made it possible for attackers to redirect site administrators to arbitrary locations. The second flaw made it possible for attackers with subscriber level access or above to install a plugin that could be used to intercept all mail traffic.
The third flaw made it possible for attackers with subscriber level access to to retrieve the Ninja Form OAuth Connection Key that could be used to establish a connection with the Ninja Forms central management dashboard. The final flaw made it possible for attackers to disconnect a site’s OAuth Connection if they could trick a site’s administrator into performing an action. These flaws could be used to take over a WordPress site and redirect site owners to malicious sites.