Hackers exploit critical flaw in Ninja Forms WordPress plugin

A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows uploading arbitrary files without authentication, which can lead to remote code execution. Identified as CVE-2026-0740, the issue is currently exploited in attacks.

According to WordPress security company Defiant, its Wordfence firewall blocked more than 3,600 attacks over the past 24 hours. With over 600,000 downloads, Ninja Forms is a popular WordPress form builder that lets users create forms without coding using a drag-and-drop interface. Its File Upload extension, included in the same suite, serves 90,000 customers.

With a critical severity rating of 9.8 out of 10, the CVE-2026-0740 vulnerability affects Ninja Forms File Upload versions up to 3.3.26. According to Wordfence researchers, the flaw is caused by a lack of validation of file types/extensions on the destination filename, allowing an unauthenticated attacker to upload arbitrary files, including PHP scripts, and also manipulate filenames to enable path traversal.

"The function does not include any file type or extension checks on the destination filename before the move operation in the vulnerable version," Wordfence explains. "This means that not only safe files can be uploaded, but it is also possible to upload files with a .php extension."

"Since no filename sanitization is utilized, the malicious parameter also facilitates path traversal, allowing the file to be moved even to the webroot directory."

"This makes it possible for unauthenticated attackers to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server."

The potential repercussions of exploitation are dire, including the deployment of web shells and complete site takeover.

Discovery and fixes

The vulnerability was discovered by security researcher Sélim Lanouar (whattheslime), who submitted it to Wordfence's bug bounty program on January 8. Following validation, Wordfence disclosed the full details to the vendor on the same day and pushed temporary mitigations via firewall rules to its customers.

After patch reviews and a partial fix on February 10, the vendor released a complete fix in version 3.3.27, available since March 19. Given that Wordfence is detecting thousands of exploitation attempts daily, users of Ninja Forms File Upload are strongly recommended to prioritize upgrading to the latest version.

Understanding the vulnerability

The CVE-2026-0740 vulnerability represents a classic example of inadequate input validation in file upload functionality. The core issue lies in how the plugin handles uploaded files without properly checking their extensions or sanitizing filenames before moving them to their final destination.

In a properly secured file upload system, several layers of validation should occur:

1. File type verification - Checking the MIME type and file signature, not just the extension
2. Filename sanitization - Removing or encoding potentially dangerous characters
3. Path traversal prevention - Ensuring filenames cannot contain directory traversal sequences like "../"
4. Safe upload directory - Storing files outside the webroot or with proper access controls

By failing to implement these basic security measures, the Ninja Forms File Uploads extension created a perfect attack vector for unauthenticated users to execute arbitrary code on vulnerable WordPress sites.

The exploitation process

Attackers can exploit this vulnerability through a relatively straightforward process:

1. Send a crafted HTTP request to the vulnerable file upload endpoint
2. Include a malicious PHP file (or any file type) in the request
3. Manipulate the filename parameter to include path traversal sequences
4. The server moves the file to the webroot directory with a .php extension
5. The attacker accesses the uploaded file via a web browser
6. The PHP code executes with the permissions of the web server

This type of attack can lead to complete system compromise, as the attacker gains the ability to execute any code on the server, potentially installing backdoors, stealing data, or using the compromised site as a launchpad for further attacks.

Impact and affected users

With over 90,000 customers using the File Upload extension, the potential impact is significant. Any WordPress site running a vulnerable version of Ninja Forms File Upload is at risk, particularly those that allow public file uploads or have forms accessible to unauthenticated users.

The high severity rating (9.8/10) reflects the ease of exploitation and the severe consequences of a successful attack. Unlike some vulnerabilities that require specific conditions or authentication, this flaw can be exploited by any visitor to an affected site.

Mitigation and protection

For users of Ninja Forms File Upload, immediate action is required:

1. Upgrade immediately - Update to version 3.3.27 or later, which contains the complete fix
2. Implement firewall rules - If using Wordfence or similar security plugins, ensure the relevant rules are active
3. Monitor for suspicious activity - Check web server logs for unusual file upload patterns
4. Consider temporary workarounds - If immediate upgrade isn't possible, restrict access to forms or disable the File Upload extension temporarily

For WordPress site administrators, this vulnerability serves as a reminder of the importance of:

• Keeping all plugins and themes updated
• Using reputable security plugins
• Monitoring security advisories for critical components
• Implementing defense-in-depth strategies

The broader context

This vulnerability is part of a concerning trend in WordPress security. As one of the most popular content management systems, WordPress is frequently targeted by attackers, and third-party plugins often introduce security weaknesses.

Recent similar vulnerabilities include:

• A critical RCE flaw in a WordPress membership plugin with 900,000 installs
• A file read flaw in the Smart Slider plugin affecting 500,000 sites
• An SQL injection vulnerability in the Elementor Ally plugin impacting 250,000+ WordPress sites

The Ninja Forms vulnerability demonstrates how even well-established plugins with large user bases can contain critical security flaws. It also highlights the importance of responsible disclosure processes, as the coordinated effort between the security researcher, Wordfence, and the vendor helped protect users while a fix was developed.

Conclusion

The CVE-2026-0740 vulnerability in Ninja Forms File Uploads represents a serious threat to WordPress sites, with active exploitation already occurring. The combination of critical severity, ease of exploitation, and the plugin's popularity makes this a high-priority security issue.

Site administrators should treat this as a critical security update and upgrade immediately. The incident also serves as a broader reminder of the security challenges in the WordPress ecosystem and the need for vigilant maintenance and security practices.

For developers, this vulnerability underscores the importance of proper input validation and secure file handling practices. For users, it reinforces the need to keep all components of their WordPress installations up to date and to monitor security advisories closely.