When Patchstack did a post-mortem analysis of a Ninja Forms plugin object injection security bug and how it was patched — with a forced update — it brought some old questions to mind.

Source