Over 1 million WordPress websites have Ninja Forms installed, an excellent plugin that creates and manages ad hoc website forms for WordPress websites. We love the service and use it in many of the websites we manage.
But, there’s a problem. A series of recent bugs in their code could allow hackers to take over your website.
The issue centers around a login service called OAth. OAth is a technology that allows websites to remember a previous login — login once and using OAth, gain repeated access.
The system recognizes the connection by splitting a series of numbers (a key) in two, leaving one version on the server and the other on the customer’s browser. When a connection is made, the combined value can be read by the server and the customer can login without a password.
The problem with Ninja Forms is that a software flaw exposed the text that’s been left on the server.
The Ninja Forms Fix
Hackers monitoring a website would be able to view connections being made and collect both the public key (which is visible publicly) and the server key (which is supposed to be hidden). Walla! A hacker now has backdoor access into their target website.
The error was first reported on January 20th by developers at WordFence (a Visual String partner company that provides WordPress security solutions).