Four serious vulnerabilities have been identified in a single WordPress plugin used by over a million websites. Bugs have been discovered affecting the Ninja Forms plugin, a drag-and-drop form builder, and could be used to control a WordPress site and redirect administrators to malicious portals. The first flaw allows site owners to redirect to arbitrary locations, taking advantage of the wp_safe_redirect function. Attackers can link with a redirect parameter that directs the site owner to a malicious URL that indicates an investigation of unusual site behavior is underway. This may be enough to convince the administrator to unintentionally click on the malicious link. The second vulnerability allows attackers to intercept email traffic, provided they have subscriber level access or higher. The third flaw allows attackers to access Ninja Forms' central admin panel by accessing the authentication key, while the fourth flaw allows threat actors to disconnect a site's OAuth connection, meaning 'there would be no way'. to delegate access'.