A significant security flaw has been identified in the widely used WordPress plugin, Ninja Forms – File Upload, jeopardizing around 50,000 websites.
Details of the Vulnerability
The vulnerability, labeled as CVE-2026-0740, carries a maximum CVSS score of 9.8, indicating a serious threat level that demands immediate action from site administrators.
Security researcher Sélim Lanouar uncovered this flaw, receiving a $2,145 bug bounty for the discovery. The vulnerability is categorized as an Unauthenticated Arbitrary File Upload.
This classification signifies that attackers can upload harmful files to a website without any need for login credentials, such as usernames or passwords.
Potential Impact on Websites
When exploited, the vulnerability allows attackers to execute Remote Code Execution (RCE), enabling them to gain full control over the web server.
The Ninja Forms File Upload addon facilitates user file submissions using the PHP function handle_upload(). This function relocates temporary uploaded files to their final locations through the _process() method.
Despite efforts to verify file types, a critical flaw arises during the file saving process, leaving room for exploitation.
Exploitation Technique and Consequences
The vulnerability stems from the failure to check the file extension during the move_uploaded_file() operation, compounded by inadequate filename sanitization.
This oversight allows attackers to use path traversal, manipulating file paths to upload dangerous .php files directly onto the server.
Once a malicious file, often a webshell, is uploaded and executed, attackers can execute server commands, potentially leading to a full site breach.
Consequences include theft of sensitive data, malware injections, redirection to spam sites, and launching further attacks from compromised servers.
Urgent Actions Required
All versions up to 3.3.26 of the Ninja Forms File Upload plugin are affected. Wordfence responded by rolling out firewall protections for premium users on January 8, 2026, and for free users by February 7.
The plugin developers addressed the issue, releasing a partial fix in version 3.3.25 and a complete patch in version 3.3.27 on March 19, 2026.
Admins managing affected WordPress sites must update the plugin to version 3.3.27 or later immediately to safeguard against potential exploits.
Due to the ease with which attackers can exploit this flaw, unpatched sites remain vulnerable to automated scanning tools.
Stay informed by following us on Google News, LinkedIn, and X for the latest cybersecurity updates. Contact us to share your cybersecurity stories.
