The attack is accomplished via a Cross-Site Request Forgery (CSRF) that leads to a Stored Cross-Site Script attack.
All versions of Ninja Forms from 18.104.22.168 and earlier are vulnerable.
Wordfence QA Engineer Ram Gall had this to say about the vulnerability:
As is typical with Cross-Site Scripting (XSS) attacks, a malicious script executed in an Administrator’s browser could be used to add new administrative accounts, leading to complete site takeover, while a malicious script executed in a visitor’s browser could be used to redirect that visitor to a malicious site.”
The plugin’s developers took swift action. They were informed of the issue by Wordforce on April 27th, 2020, and issued a patch just five days later. Unfortunately, based on the company’s statistics, the majority of sites making use of Ninja Forms (more than 800,000) are running old versions, and are still vulnerable.
Wordfence has rated this security flaw with a CVSS score of 8.8, which makes it a high severity issue. If you use the plugin in any capacity, it’s important that you patch to the latest version as soon as possible to help keep your system secure.
Kudos to the sharp-eyed team at Wordfence for spotting the issue, and to the Ninja Forms development team for their fast action in delivering a patch!