The development team oh the Ninja Forms WordPress plugin fixed a high severity security flaw that can let attackers take over websites. The flaw affects all Ninja Forms versions up to 3.24.2.2, the flaw affects more than 1 million installs. Attack scenario sees hackers tricking WordPress admins into clicking specially crafted links that inject malicious JavaScript code as part of a newly-imported contact form. The vulnerability could allow an attacker to trick an attacker into importing a contact form containing malicious JavaScript and replace any existing contact form with the malicious version.”]
Source: https://securityaffairs.co/wordpress/102568/breaking-news/ninja-forms-wordpress-plugin-csrf.html