A critical vulnerability affecting the File Uploads addon within the Ninja Forms WordPress plugin has been identified, potentially allowing cybercriminals to seize control of susceptible websites. Cybersecurity firm Defiant has issued a warning regarding this significant threat.
Extent of the Vulnerability
The affected addon is reportedly utilized by approximately 50,000 websites, with Defiant observing numerous exploitation attempts. The flaw, designated as CVE-2026-0740 and assigned a CVSS score of 9.8, is characterized as an unauthenticated arbitrary file upload vulnerability.
This security issue arises from inadequate file type validation, which is essential for the functionality designed to manage file uploads within the Ninja Forms plugin. Specifically, the flaw is located in the process that saves uploaded files to the designated uploads folder.
Technical Details and Risks
The vulnerability stems from insufficient verification of the destination filename before files are moved to the uploads directory, enabling the upload of files with a .php extension. According to Defiant, the absence of filename sanitization facilitates path traversal, potentially allowing files to be moved to the webroot directory.
This flaw permits unauthenticated attackers to upload malicious PHP code to the server of a vulnerable website, subsequently enabling them to execute remote code execution (RCE). Through this exploit, attackers can deploy web shells and potentially gain comprehensive control over the affected website.
Response and Recommendations
The vulnerability, discovered and reported by security researcher Sélim Lanouar through the Wordfence bug bounty program in January, earned a reward of $2,145. Users of the Ninja Forms – File Uploads plugin are strongly urged to update to version 3.3.27 promptly, as all preceding versions are susceptible to this issue.
In light of this vulnerability, it is crucial for website administrators to act swiftly in upgrading their plugins to mitigate potential security risks. The update aims to rectify the identified flaw and bolster the overall security posture of websites using the Ninja Forms plugin.
Related topics of interest include vulnerabilities in the Flowise and King Addons plugins, and the GrafanaGhost exploit, which also pose significant security threats to WordPress sites.
