PT-2026-30693 · WordPress · Ninja Forms - File Uploads

Sélim Lanouar

·

Published

2026-04-06

·

Updated

2026-07-05

·

CVE-2026-0740

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Ninja Forms - File Uploads versions prior to 3.3.27
Description Unauthenticated attackers can upload arbitrary files, including PHP scripts, to a server due to missing file type and extension validation in the NF FU AJAX Controllers Uploads::handle upload() function. The flaw also allows path traversal via the destination filename, enabling attackers to move uploaded files into the webroot to deploy webshells and achieve remote code execution (RCE), which can lead to full site takeover. This issue has been actively exploited, with an estimated 50,000 sites affected and thousands of exploitation attempts observed.
Recommendations Update Ninja Forms - File Uploads to version 3.3.27. As a temporary workaround, disable or remove the File Uploads extension. Scan the webroot and uploads directory for unexpected .php or suspicious files and remove them. Deploy WAF rules to block the plugin upload endpoint and exploit patterns. Rotate admin, database, and API credentials if a compromise is suspected.

Exploit

Fix

RCE

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-0740

Affected Products

Ninja Forms - File Uploads