![\"Hackers](\"https:\/\/www.bleepstatic.com\/content\/hl-images\/2026\/04\/07\/NinjaForms.jpg\")
<\/p>\n<\/p>\n
A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows uploading arbitrary files without authentication, which can lead to remote code execution.<\/p>\n
Identified as CVE-2026-0740, the issue is currently exploited in attacks. According to WordPress security company Defiant, its Wordfence firewall blocked more than 3,600 attacks<\/a> over the past 24 hours.<\/p>\n With over 600,000 downloads<\/a>, Ninja Forms is a popular WordPress form builder that lets users create forms without coding using a drag-and-drop interface. Its File Upload extension, included in the same suite, serves 90,000 customers<\/a>.<\/p>\n With a critical severity rating of 9.8 out of 10, the CVE-2026-0740 vulnerability affects Ninja Forms File Upload versions up to 3.3.26.<\/p>\n According to Wordfence researchers, the flaw is caused by a lack of validation of file types\/extensions on the destination filename, allowing an unauthenticated attacker to upload arbitrary files, including PHP scripts, and also manipulate filenames to enable path traversal.<\/p>\n “The function does not include any file type or extension checks on the destination filename before the move operation in the vulnerable version,” Wordfence explains<\/a>.<\/p>\n “This means that not only safe files can be uploaded, but it is also possible to upload files with a .php extension.”<\/p>\n “Since no filename sanitization is utilized, the malicious parameter also facilitates path traversal, allowing the file to be moved even to the webroot directory.”<\/p>\n “This makes it possible for unauthenticated attackers to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.”<\/p>\n The potential repercussions of exploitation are dire, including the deployment of web shells and complete site takeover.<\/p>\n The vulnerability was discovered by security researcher Sélim Lanouar (whattheslime), who submitted it to Wordfence’s bug bounty program on January 8.<\/p>\n Following validation, Wordfence disclosed the full details to the vendor on the same day and pushed temporary mitigations via firewall rules to its customers.<\/p>\n After patch reviews and a partial fix on February 10, the vendor released a complete fix in version 3.3.27, available since March 19.<\/p>\n Given that Wordfence is detecting thousands of exploitation attempts daily, users of Ninja Forms File Upload are strongly recommended to prioritize upgrading to the latest version.<\/p>\n ![\"Hackers](\"https:\/\/www.bleepstatic.com\/c\/a\/as-tour-the-platform-970-x250.jpg\")
<\/a> <\/div>\nDiscovery and fixes<\/h3>\n