CVE-2026-0740

Name of the Vulnerable Software and Affected Versions Ninja Forms - File Uploads versions prior to 3.3.27

Description An issue in the Ninja Forms - File Uploads plugin allows unauthenticated attackers to upload arbitrary files, including PHP backdoors, which can lead to remote code execution and full site takeover. The flaw is caused by missing file type and extension validation for the destination filename in the NF FU AJAX Controllers Uploads::handle upload() function. Attackers can bypass source validation by using valid file headers (such as PDF or GIF) and then use path traversal (e.g., ../../) via a POST request to the endpoint '/wp-admin/admin-ajax.php?action=nf fu upload' to save the file as a .php script in the webroot directory. Approximately 50,000 WordPress sites are estimated to be affected. Real-world exploitation has been observed, with over 118,600 attack attempts blocked by security firewalls. Attackers have used this to deploy web shells and move laterally across compromised networks.

Recommendations Update to version 3.3.27. As a temporary workaround, disable or remove the File Uploads extension and block uploads at the webserver or WAF level.