PT-2026-30693 · WordPress · Ninja Forms - File Uploads
Sélim Lanouar
·
Published
2026-04-06
·
Updated
2026-07-05
·
CVE-2026-0740
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Ninja Forms - File Uploads versions prior to 3.3.27
Description
Unauthenticated attackers can upload arbitrary files, including PHP scripts, to a server due to missing file type and extension validation in the
NF FU AJAX Controllers Uploads::handle upload() function. The flaw also allows path traversal via the destination filename, enabling attackers to move uploaded files into the webroot to deploy webshells and achieve remote code execution (RCE), which can lead to full site takeover. This issue has been actively exploited, with an estimated 50,000 sites affected and thousands of exploitation attempts observed.Recommendations
Update Ninja Forms - File Uploads to version 3.3.27.
As a temporary workaround, disable or remove the File Uploads extension.
Scan the webroot and uploads directory for unexpected .php or suspicious files and remove them.
Deploy WAF rules to block the plugin upload endpoint and exploit patterns.
Rotate admin, database, and API credentials if a compromise is suspected.
Exploit
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ninja Forms - File Uploads