CVE-2026-0740

Name of the Vulnerable Software and Affected Versions Ninja Forms - File Uploads plugin for WordPress versions up to and including 3.3.26

Description The Ninja Forms - File Uploads plugin for WordPress has a flaw that allows unauthenticated attackers to upload arbitrary files. This is due to missing file type validation in the NF FU AJAX Controllers Uploads::handle upload function. Successful exploitation could lead to remote code execution. Approximately 50,000 WordPress sites are estimated to be affected. The vulnerability exists because the destination filename lacks file type validation, while the source filename is checked. This allows attackers to upload files with a .php extension and potentially perform path traversal to the webroot directory.

Recommendations Update to version 3.3.27