Critical Ninja Forms File Upload Vulnerability Allows Unauthenticated Remote Code Execution

A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress enables attackers to upload arbitrary files without authentication, potentially leading to remote code execution and complete site compromise.

The Vulnerability Details

Tracked as CVE-2026-0740 with a critical severity rating of 9.8 out of 10, this flaw affects Ninja Forms File Upload versions up to 3.3.26. The vulnerability is currently being actively exploited, with Wordfence reporting that its firewall blocked more than 3,600 attacks in a single 24-hour period.

Ninja Forms is one of WordPress’s most popular form builders, boasting over 600,000 downloads. Its File Upload extension serves approximately 90,000 customers, making this a widespread security concern.

How the Attack Works

According to Wordfence security researchers, the vulnerability stems from insufficient file type and extension validation on the destination filename. The vulnerable code lacks proper checks before moving uploaded files, which creates a dangerous window for exploitation.

This flaw allows attackers to:

  • Upload files with dangerous extensions, including .php scripts
  • Exploit path traversal by uploading files without filename sanitization
  • Move malicious files directly into the webroot directory
  • Execute arbitrary PHP code on the server without authentication

“The function does not include any file type or extension checks on the destination filename before the move operation,” Wordfence explains. “This means that not only safe files can be uploaded, but it is also possible to upload files with a .php extension.”

The potential consequences are severe, including web shell deployment and complete site takeover.

Discovery and Remediation Timeline

Security researcher Sélim Lanouar (whattheslime) discovered the vulnerability and responsibly reported it to Wordfence’s bug bounty program on January 8. After validation, Wordfence disclosed the issue to the vendor the same day and immediately deployed temporary firewall mitigations for its customers.

The vendor released a partial fix on February 10, followed by a complete fix in version 3.3.27, available since March 19.

Recommended Action

Given the high severity rating and active exploitation attempts, users of Ninja Forms File Upload should upgrade to version 3.3.27 or later immediately. With thousands of exploitation attempts detected daily, delaying this update poses a significant risk to site security.

Related Articles

Back to top button