A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows uploading arbitrary files without authentication, which can lead to remote code execution.
Identified as CVE-2026-0740, the issue is currently exploited in attacks. According to WordPress security company Defiant, its Wordfence firewall blocked more than 3,600 attacks over the past 24 hours.
With over 600,000 downloads, Ninja Forms is a popular WordPress form builder that lets users create forms without coding using a drag-and-drop interface. Its File Upload extension, included in the same suite, serves 90,000 customers.
With a critical severity rating of 9.8 out of 10, the CVE-2026-0740 vulnerability affects Ninja Forms File Upload versions up to 3.3.26.
According to Wordfence researchers, the flaw is caused by a lack of validation of file types/extensions on the destination filename, allowing an unauthenticated attacker to upload arbitrary files, including PHP scripts, and also manipulate filenames to enable path traversal.
“The function does not include any file type or extension checks on the destination filename before the move operation in the vulnerable version,” Wordfence explains.
“This means that not only safe files can be uploaded, but it is also possible to upload files with a .php extension.”
“Since no filename sanitization is utilized, the malicious parameter also facilitates path traversal, allowing the file to be moved even to the webroot directory.”
“This makes it possible for unauthenticated attackers to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.”
The potential repercussions of exploitation are dire, including the deployment of web shells and complete site takeover.
Discovery and fixes
The vulnerability was discovered by security researcher Sélim Lanouar (whattheslime), who submitted it to Wordfence’s bug bounty program on January 8.
Following validation, Wordfence disclosed the full details to the vendor on the same day and pushed temporary mitigations via firewall rules to its customers.
After patch reviews and a partial fix on February 10, the vendor released a complete fix in version 3.3.27, available since March 19.
Given that Wordfence is detecting thousands of exploitation attempts daily, users of Ninja Forms File Upload are strongly recommended to prioritize upgrading to the latest version.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
