Auto Update

  • Resolved Zaffy

    (@zaffy)


    4 months, 2 weeks ago

    Hello.

    Last night, the plugin was auto updated even if the auto update option is disabled. I contacted my hosting provider (Siteground) and they reassured me that they did not do anything server side (also their Site Tools auto update option was disabled).
    Was it you that initiated an auto update of the plugin despite our plugin settings?
    Thank you.

Viewing 3 replies - 1 through 3 (of 3 total)
  • WebDragon

    (@webdragon)

    4 months, 2 weeks ago

    Same, we also saw an auto-update, while auto-updates are disabled for all plugins besides google site kit . Unsure if ww.wp.xz.cn forced the update or not; I didn’t see that it was specifically security high risk although it may have triggered on the word ‘spoofing’ in the NF changelog ?

    Thread Starter Zaffy

    (@zaffy)

    4 months, 2 weeks ago

    According to Wordfence there were security issues with one of the recent versions of the Ninja forms plugin, but I had already updated to the patched version before the auto update happened. Maybe it wasn’t patched? Can anyone from the plugin’s team answer to us?

    Plugin Support Mia

    (@xmiax)

    4 months, 1 week ago

    Hi

    Thanks for reaching out and expressing your concern. The recent auto-update was pushed out by ww.wp.xz.cn for all versions of Ninja Forms, starting from 3.4.0 to the current version. A critical vulnerability was discovered that allowed anonymous users with knowledge of that vulnerability to access data they shouldn’t be able to. It is important to note that there have been no known actual or public exploitations of this vulnerability. This was patched as soon as it was uncovered by a security audit and we take all security vulnerabilities, realized or theoretical, very seriously.

    Thanks

    Mia

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.