Ninja Forms is a WordPress plugin used by more than 1 million sites. It has four flaws that allow various kinds of serious attacks, including site takeover and email hijacking. The four bugs allow lower-privileged users (even those who have registered for a site) to carry out a range of malicious activity. They include eavesdropping on site email, taking over admin accounts, installing arbitrary add-ons to a target site and redirecting site owners to malicious destinations. Three of the bugs do require social engineering to be successful.
Source: https://threatpost.com/ninja-forms-wordpress-plugin-hacks/164042/