A dangerous SQL Injection vulnerability has been disclosed and patched that could affect the Ninja Forms plugin for WordPress, impacting the 600,000 sites using that website construction software.
Sucuri noted in a blog post that it disclosed the issue to Ninja forms on August 11 and within five hours a new version had been made public fixing the problem. However, if a user has not updated their site a malicious actor exploiting this vulnerability could leak the site's usernames and hashed passwords and even leak WordPress secret keys. The attacker does need to have an account with the target site, but the level of association could be as low privileged as just being a subscriber.
The issue occurs because the plugin doesn't escape parameters provided by its shortcodes before concatenating it to an SQL query, Sucuri wrote.