CVE-2026-0740

Name of the Vulnerable Software and Affected Versions Ninja Forms - File Uploads plugin for WordPress versions up to and including 3.3.26

Description The Ninja Forms - File Uploads plugin for WordPress has a critical vulnerability allowing unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution (RCE). The issue stems from missing file type validation in the 'NF FU AJAX Controllers Uploads::handle upload' function. Attackers can exploit this by uploading malicious PHP files, leveraging path traversal to place them in the webroot directory, and then executing them to gain control of the affected site. Approximately 50,000 WordPress sites are estimated to be affected, with thousands of exploitation attempts already observed. The vulnerability allows unauthenticated HTTP file uploads, path traversal in filenames, and the uploading of executable files like PHP, leading to web shell execution. The vulnerability was partially addressed in version 3.3.25 and fully fixed in version 3.3.27.

Recommendations Immediately update the Ninja Forms - File Uploads plugin to version 3.3.27 on all affected sites. Scan webroots and backups for PHP web shells and remove any malicious files. If compromise is suspected, restore from a clean backup and rotate credentials. Consider disabling the File Uploads extension if an immediate patch cannot be applied.