As part of their regular research audits for their Sucuri Firewall, Sucuri team discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites.
A malicious individual using this bug could (among other things) leak the site’s usernames and hashed passwords. In certain configurations, it can also leak WordPress secret keys.
If you are not using the latest version of this plugin where the vulnerability has been fixed, update it as soon as possible or contact Dusk Owl for help with the update.