Vulnerability is a Cross-Site Request Forgery (CSRF) that leads to Stored Cross-site Scripting (Stored XSS) attacks. Attackers can exploit this vulnerability by tricking WordPress admins into clicking specially crafted links that inject malicious JavaScript code as part of a newly-imported contact form. The vulnerability was discovered and reported responsibly to Ninja Forms’ developer Saturday Drive by Wordfence on April 27 and a security fix for the issue was published with version 3.4.24.2 within less than a day after the initial disclosure report.
Source: https://www.bleepingcomputer.com/news/security/ninja-forms-wordpress-plugin-patch-prevents-takeover-of-1m-sites/