Nuno Correia

**Name of the Vulnerable Software and Affected Versions** Ninja Forms - File Uploads Extension WordPress plugin versions up to and including 3.3.12 **Description** The issue is related to reflected cross-site scripting due to missing sanitization of the `filename` parameter found in the ~/includes/ajax/controllers/uploads.php file. This can be exploited by unauthenticated attackers to add malicious web scripts to vulnerable WordPress sites. **Recommendations** For versions up to and including 3.3.12, update to a version higher than 3.3.12 to resolve the issue. As a temporary workaround, consider restricting access to the ~/includes/ajax/controllers/uploads.php file until a patch is available. Avoid using the `filename` parameter in the affected API endpoint until the issue is resolved.