Ninja Forms < 3.6.11 - Unauthenticated PHP Object Injection
The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have been exploiting such issue since June 9th, 2022
Proof of Concept
The PoC will be displayed on July 15, 2022, to give users the time to update.